The "Windows Private Keys Discovery" analytic rule identifies potentially malicious processes that attempt to locate private key files on Windows systems. Utilizing data from Endpoint Detection and Response (EDR) agents, this rule specifically targets command-line executions tied to the retrieval of private key certificates, which may signal nefarious activities, such as credential harvesting or privilege escalation. The detection employs logs from Sysmon Event ID 1, Windows Event Log Security 4688, and CrowdStrike's ProcessRollup2, aiming to ascertain if processes are searching for specific file types associated with private keys (e.g., .p12, .pem, .key). This behavior can represent a significant risk, as adversaries often exploit insecurely stored credentials for unauthorized access. Confirmation of this activity requires thorough investigation, as it could point to broader exploitation attempts within an environment.