This detection rule identifies instances where CertUtil.exe is executed with backup parameters, indicating a potential theft of authentication certificates from the Windows Certificate Store. The analytic sources data in real-time from Endpoint Detection and Response (EDR) agents, specifically capturing command-line executions related to CertUtil. Malicious actors could leverage stolen authentication certificates to impersonate users, decrypt sensitive data, or gain unauthorized access. The rule utilizes a combination of Sysmon Event ID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to detect these activities. False positives may occur during normal certificate store backups, but the analytics are designed to highlight anomalous behaviors warranting further investigation.