This detection rule identifies the execution of Certipy, a tool used for enumeration and exploitation of Active Directory Certificate Services. The rule primarily relies on specific characteristics of PE metadata and common command line arguments associated with Certipy's functionality. It targets suspicious process creations in Windows, looking for executables that match 'Certipy.exe' or exhibit certain behavior in their command line arguments, such as requests for account details, authentication, or certificate services manipulations. The rule is expected to generate alerts when Certipy attempts to interact with Active Directory, indicative of potential credential theft or unauthorized access attempts. As a high-severity detection, this rule aids in identifying potential misuse of this tool in an attacker’s toolkit.