This detection rule identifies the installation of root certificates from suspicious locations on Windows systems. Adversaries often employ this technique to circumvent security warnings that typically alert users to connections with potentially malicious web servers. The rule targets PowerShell commands associated with the `Import-Certificate` cmdlet when executed from certain system directories known to be commonly used for temporary file storage or user downloads that may be indicative of malicious activity. By monitoring for these command lines, security teams can detect attempts to abuse certificate authority mechanisms and take proactive measures against possible compromises.