This detection rule targets the use of the esentutl utility on Windows systems, particularly in the context of credential harvesting associated with known malware practices. The esentutl tool is referenced in communications from the Conti ransomware group, suggesting its usage for accessing NTDS (NT Directory Services) files, which contain sensitive credential information. Additionally, Trickbot malware has been documented utilizing esentutl, specifically to extract data related to Microsoft Edge, leveraging the pwgrab module. The detection focuses on process creation events where the command line contains 'esentutl' with a specific argument indicative of credential-related access attempts. The rule's implementation logs command-line arguments alongside the user and parent process information to provide incident response teams with pertinent context for investigations, identifying unauthorized credential access attempts effectively. Due to the malicious nature of the contexts in which esentutl is employed, this rule aids in spotting potential indicator of compromise (IOC) activities associated with advanced persistent threats (APTs) and credential theft tools.