This detection rule targets anomalous usage of the PowerShell cmdlet `export-pfxcertificate`, which allows a user to export certificates from the Windows Certificate Store. The analytic leverages process execution logs, particularly those collected from Endpoint Detection and Response (EDR) agents, and is designed to alert on instances where this command is executed. Exporting authentication certificates may signify malicious intent, such as exfiltration of sensitive data or user impersonation. As these certificates can be used to decrypt data or impersonate users, identification of this activity is critical in preventing unauthorized access and potential data breaches. This detection examines the command line arguments of processes to effectively capture instances of certificate exportation. The rule facilitates monitoring and response to potentially harmful actions within a Windows environment, significantly enhancing security postures against certificate-based attacks.