Adding detection rule for esentutl utility

Used by Conti affiliates to target NTDS file and MSEdge info

rules/windows/process_creation/Conti_esentutl.yaml

@@ -0,0 +1,32 @@
+title: Detection of esentutl aka Extensible Storage Engine Utilities to gather credentials
+id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
+status: experimental
+author: sam0x90
+date: 2021/08/06
+description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module "pwgrab"
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816
+	- https://attack.mitre.org/software/S0404/
+    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1003.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - 'esentutl'
+    selection_password:
+        CommandLine|contains: ' /p'
+    condition: all of them
+falsepositives:
+    - To be determined
+level: medium
+fields:
+    - User
+	- CommandLine
+    - ParentCommandLine
+    - CurrentDirectory