The rule detects the malicious use of the legitimate Windows utility 'esentutl.exe' for data collection from web browsers like Internet Explorer and Microsoft Edge, particularly in the context of malware infections such as Qakbot. Esentutl.exe serves as a command-line tool for database management within the Extensible Storage Engine (ESE). This detection rule is tailored to identify specific command-line arguments that suggest nefarious activity tied to browser data extraction. The logic primarily looks for event codes that correspond to process executions of the utility, analyzing arguments that target the Windows WebCache directory, a common location for browser-stored data. By correlating these with Sysmon logs related to endpoint data, the detection becomes effective in pinpointing abnormal usage of this tool in an effort to collect sensitive information.