The 'Esentutl SAM Copy' detection rule identifies the execution of `esentutl.exe`, a Windows command-line utility, that accesses credentials stored in the ntds.dit or SAM files. By monitoring process execution logs from Endpoint Detection and Response (EDR) agents, particularly focusing on command-line arguments, this analytic aims to uncover potential credential extraction attempts, which are often exploits tied to lateral movement and privilege escalation schemes. The rule utilizes data sources like Sysmon EventID 1 and Windows Event Log Security 4688, which provide insights into the process execution activity necessary for detecting suspicious interactions with sensitive credential stores. Alerting on this behavior can help security teams thwart attackers from gaining unauthorized access to user credentials, subsequently bolstering overall network security.