This detection rule targets the installation of root certificates via PowerShell on Windows systems, which can be a tactic used by adversaries to bypass security warnings when connecting to malicious web servers. The rule specifies that for successful detection, Script Block Logging must be enabled. It identifies script executions that either move an item to or import a certificate into the local machine's root certificate store. These conditions are indicative of potential malicious activities where an attacker might seek to establish trust with their domain by adding a root certificate, hence evading alerts that would otherwise be raised when accessing compromised resources. Careful implementation of this rule helps in detecting unauthorized modifications to certificate stores, crucial for maintaining system integrity and user security. One note of caution is that legitimate actions by IT or Help Desk staff that involve root CA installations might generate false positives, necessitating further validation of context to ensure accurate and actionable alerts.