This detection rule identifies when an application acquires a certificate private key by monitoring the Windows CAPI2 (Cryptographic Application Programming Interface 2) logs. Specifically, it looks for Event ID 70, which is generated whenever an application performs operations involving certificates, including the acquisition of private keys. The rule is intended to help security teams detect potential credential access attacks that involve compromising certificate keys, which can be used to impersonate trusted entities or gain unauthorized access to systems. As this log can also record legitimate actions, it is recommended to apply additional filters to reduce false positives, especially since legitimate applications may trigger this event when requesting certificate exports.