diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml
index a9c29f458..561c906a5 100644
--- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml
+++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/05/06"
+updated_date = "2021/10/15"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Austin Songer"]
 description = """
 Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of 
 Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or 
@@ -31,7 +31,7 @@ type = "eql"
 query = '''
 process where event.type == "start" and
   (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and 
-  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex")
+  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX")
 '''
 
 
@@ -47,3 +47,4 @@ name = "Deobfuscate/Decode Files or Information"
 id = "TA0005"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+