This analytic rule detects the use of certutil.exe to add a certificate to the Root certificate store using the -addstore root command, particularly when the certificate file is sourced from a temporary location like %TEMP%. Such behavior is unusual in legitimate administrative tasks and may indicate malicious activities where an attacker is attempting to install a root certificate to intercept secure communications, impersonate trusted entities, or evade established security measures. The combination of using the flags -f (force) and -Enterprise, along with loading .tmp files from writable user paths aligns with tactics observed in credential theft and adversary-in-the-middle (AiTM) attacks. It also highlights the importance of monitoring new certificates in the root store, as unauthorized additions can lead to significant security breaches including silent interception of encrypted traffic, impersonation of trusted sites, and maintaining access to systems even after previous malware has been eradicated. Thus, detection of these patterns should trigger immediate investigations, particularly if accompanied by unauthorized privilege escalations or changes to existing certificates.