This detection rule identifies the unauthorized extraction of authentication certificates through the Windows Event Log, specifically monitoring Event ID 70 generated by the CryptoAPI (CAPI2). When a private key of a certificate is accessed, Event ID 70 is logged, which can indicate potential misuse or extraction attempts, often associated with threat actors employing tools such as Mimikatz or Cobalt Strike. Detecting this activity is crucial as confirmed malicious actions could lead to user impersonation, privilege escalation, and access to sensitive data, creating significant security vulnerabilities. The implemented search query analyzes the event log for this specific event code and aggregates findings by computer and user data, allowing for efficient identification and response to potential threats.