This detection rule monitors the initialization and activity of the Volume Shadow Copy Service (VSS) using the esentutl executable. It specifically looks for registry events related to the VSS service, particularly focusing on modifications or accesses to the registry path HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume. The detection is based on identifying events where the target object contains information about the VSS service and the image involved is esentutl.exe. The rule also includes a filtering mechanism to exclude instances where the registry's Start key is accessed, thus aiming to reduce false positives. This helps in identifying potential credential accessing attempts that utilize volume shadow copy features for unauthorized data copying or extraction. The detection strategy is aligned with tactics outlined in the ATT&CK framework under credential access techniques for Windows systems.