This rule is designed to detect the creation or modification of a local trusted root certificate in Windows environments. Such modifications may indicate the presence of a malicious actor looking to exploit Windows' certification mechanisms, potentially allowing for the interception and decryption of SSL/TLS traffic or masquerading as legitimate files. The rule operates by monitoring specific registry changes related to root certificates, and it triggers when alterations are detected in specified registry paths associated with trusted root certificates. Notably, while the detection mechanisms are rigorous, there is an acknowledgment that certain benign applications may also interact with these certificate stores, leading to possible false positives. Therefore, it includes investigation steps to differentiate between malicious and benign activities, guiding analysts through detailed examination procedures and incident response strategies. The detection employs EQL (Event Query Language) to monitor registry modifications, ensuring broad coverage across various endpoints through integration with tools like Windows Sysmon, M365 Defender, and Elastic Endgame, given that Windows has the potential to manage numerous security risks through effective monitoring of certificate modifications.