This detection rule is designed to identify attempts by adversaries to search for private key certificate files on Windows systems. The focus is on the use of command-line tools such as cmd.exe and PowerShell, as well as the findstr utility, which can be leveraged to uncover files stored insecurely on compromised machines. The detection condition looks for specific command-line invocation patterns that include querying for various file types commonly associated with private keys and certificates, such as .key, .pem, .pfx, etc. By analyzing process creation logs, the rule isolates commands executed via the command line that indicate reconnaissance behavior related to credential access. This type of detection is crucial in identifying a stage of an attack where the adversary is attempting to gather sensitive materials that could facilitate further access or lateral movement within a network.