This detection rule identifies when commands related to certificate export are executed through PowerShell. Threat actors have been known to misuse PowerShell cmdlets like `Export-PfxCertificate` and `Export-Certificate` to extract certificates, potentially along with their private keys, from a compromised system's local certificate store. Such exploits can lead to further attacks, as stolen keys may allow attackers to impersonate legitimate services or gain unauthorized access to protected resources. This rule focuses on monitoring the command line for these specific commands, which are clear indicators of an attempt to export sensitive certificates without appropriate administrative justification. While false positives may occur during normal administrative tasks, the rule's use of specific command line patterns helps in minimizing these occurrences and effectively capturing malicious activity.