This detection rule identifies potential credential theft activities associated with the Windows InstallUtil.exe binary loading specific dynamic link libraries (DLLs) known to be used by credential extraction tools, namely vaultcli.dll and samlib.dll. By monitoring Sysmon EventCode 7, the rule captures instances when InstallUtil.exe executes and loads these DLLs, which is a behavior often linked to evading application controls and executing malicious code. If this behavior is detected, it may indicate an ongoing attempt to extract user credentials, thereby facilitating unauthorized access to the system. The implementation requires ingesting logs that include process names, parent processes, and module loads from Sysmon, ensuring that IT security teams can proactively mitigate threats posed by such credential theft attempts.