This detection rule is designed to identify the addition of new root, certificate authority (CA), or AuthRoot certificates within the Windows registry. It targets specific registry paths where such certificates are stored, especially focusing on changes that involve the creation of new entries under various system certificate stores. The detection logic works by monitoring registry writes to these paths, specifically looking for entries that contain the specified paths and end with '\Blob', which typically indicates that binary data (the certificate) has been added. The rule operates under a medium severity level due to the potential risk associated with unauthorized or malicious certificates being added to trusted stores, which could lead to trust exploitation and various impacts on system security including man-in-the-middle attacks. The rule is part of an ongoing effort to ensure that only legitimate certificates are present in a system’s certificate store to maintain a strong security posture, particularly within corporate environments where certificate misuse can have severe consequences.