This detection rule identifies the installation of root certificates via the Certutil command-line tool, which can be employed by adversaries to establish trust for malicious servers. By installing a root certificate, attackers can intercept or modify SSL/TLS communications without triggering security warnings. The rule utilizes Splunk to search through endpoint data, specifically monitoring for the use of the '-addstore' option in the Certutil command, which is indicative of an attempt to install a root certificate.