This detection rule identifies the use of the Certify and Certipy tools, which are utilized for enumerating Active Directory Certificate Services (AD CS) environments. It collects data from various sources, mainly focusing on command-line arguments typically associated with these tools. The detection approach leverages Endpoint Detection and Response (EDR) data and looks for specific patterns that may suggest reconnaissance or potential exploitation attempts against AD CS. Given the sensitive nature of the targets, confirmation of malicious use could leave the network vulnerable to unauthorized access and privilege escalation, compromising sensitive certificates and assets.