This analytic rule detects unauthorized exports of authentication certificates via the PowerShell cmdlet 'export-certificate', which may signify potential credential theft or preparation for man-in-the-middle attacks. By monitoring process execution logs generated by EDR agents, this rule identifies instances where the 'export-certificate' cmdlet is executed, capturing relevant information such as the executing user, destination system, process ID, and parent process. This is critical because exporting certificates can enable attackers to impersonate users, decrypt sensitive data, or gain unauthorized access. The search query utilized for this detection efficiently filters through system logs to isolate these activities, enabling rapid incident response and investigation.