This analytic detects the usage of certutil.exe with arguments that manipulate or extract certificates from systems. Powered by data from Endpoint Detection and Response (EDR) agents, it focuses on the analysis of process names and their command-line arguments to flag suspicious activity. The significance of this detection lies in the potential risk involved; when an attacker retrieves certificates, they can create forged authentication tokens, especially in federated environments such as Windows ADFS. This could lead to unauthorized access and privilege escalation on the network. This rule analyzes Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to identify these threats proactively.