This detection rule identifies the installation of a new root certificate via the `CertMgr.exe` tool on Windows systems. Specifically, it triggers when the tool is executed with the `/add` command to incorporate a certificate. Adversaries often exploit this method to install malicious root certificates on compromised systems, thereby preventing security warnings and enabling man-in-the-middle (MitM) attacks when users connect to malicious or controlled web servers. The rule leverages process creation logs to scrutinize command line arguments and executable paths related to `CertMgr.exe`. The selection criteria focus on two aspects: firstly, verifying that the executable is indeed `CertMgr.exe` or has the original filename `CERTMGT.EXE`, and secondly, ensuring that the command line contains both `/add` and `root` flags. This double-checking mechanism offers a robust way to detect potentially malicious behavior while allowing for a nuanced understanding to avoid false positives, especially when considering legitimate administrative actions by IT departments. As such, it emphasizes the importance of carefully monitoring certificate management activities within the operating environment to safeguard against potential threats to system trust and data integrity.