This detection rule identifies attempts to copy sensitive credential files from a Windows environment using specific processes and command-line patterns. It focuses primarily on the use of the 'esentutl.exe' utility, which is commonly utilized for accessing database files like 'ntds.dit' that contain Active Directory credential data. The rule creates detection filters for two scenarios: the execution of 'esentutl.exe' either via direct process creation or through command-line arguments that indicate suspicious activity, such as interacting with volume shadow copies or backing up sensitive registry files. The detection logic accounts for several well-known paths where sensitive files may reside, ensuring thorough coverage of credential access attempts. Special attention is given to distinguishing between legitimate access and potentially malicious activities, with a note of possible false positives when files are copied for legitimate backup or forensic purposes.