diff --git a/rules/windows/process_creation/Conti_esentutl.yaml b/rules/windows/process_creation/process_susp_esentutl_params.yaml
similarity index 96%
rename from rules/windows/process_creation/Conti_esentutl.yaml
rename to rules/windows/process_creation/process_susp_esentutl_params.yaml
index 91f75ab49..598525ac6 100644
--- a/rules/windows/process_creation/Conti_esentutl.yaml
+++ b/rules/windows/process_creation/process_susp_esentutl_params.yaml
@@ -1,31 +1,31 @@
-title: Esentutl Gather Credentials
-id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
-status: experimental
-author: sam0x90
-date: 2021/08/06
-description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
-references:
-    - https://twitter.com/vxunderground/status/1423336151860002816
-    - https://attack.mitre.org/software/S0404/
-    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'esentutl'
-            - ' /p'
-    condition: all of them
-falsepositives:
-    - To be determined
-level: medium
-fields:
-    - User
-    - CommandLine
-    - ParentCommandLine
-    - CurrentDirectory
+title: Esentutl Gather Credentials
+id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
+status: experimental
+author: sam0x90
+date: 2021/08/06
+description: Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816
+    - https://attack.mitre.org/software/S0404/
+    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1003.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'esentutl'
+            - ' /p'
+    condition: all of them
+falsepositives:
+    - To be determined
+level: medium
+fields:
+    - User
+    - CommandLine
+    - ParentCommandLine
+    - CurrentDirectory