The detection rule identifies the execution of Certify, a tool associated with Active Directory certificate abuse, by analyzing its PE metadata characteristics and associated command line arguments. The rule looks for processes created that match certain attributes typical of Certify, such as the executable name 'Certify.exe' or its PE file characteristics. Additionally, it scans command line inputs for common arguments used with the tool that are indicative of certificate manipulation activities. By utilizing both image name metadata and specific command line patterns, this rule aims to detect potential misuse of the Certify tool, often used in credential access and discovery attacks. The logic defined in the rule necessitates either matching the process's image name or satisfying conditions across the command line arguments to flag a potential threat. The rule is geared towards providing high-level alerts when suspicious Certify activity is detected, therefore aiding defenders in recognizing and responding to potential misuse of this tool.