This detection rule is designed to identify instances where the Windows utility Certutil.exe is utilized to export certificates using the 'exportPFX' command-line flag. The certutil tool is a native Windows utility primarily used for managing digital certificates. The command that triggers this rule specifically allows for the export of certificates in a PFX format, which can potentially be used by malicious actors to steal sensitive certificate credentials. The rule monitors the process creation of certutil.exe and checks for relevant command-line arguments to ensure accurate detection. While there are legitimate use cases for exporting certificates, the occurrence of this command should always be investigated to rule out nefarious intentions. The detection logic focuses on both the process image file and the criteria defined in the command line, with a 'medium' severity level assigned to alerts triggered by this rule.