This detection rule identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets on macOS systems. Attackers may utilize this tool to extract credentials, enabling lateral movement within a network. The rule is implemented through a KQL query that monitors for specific events where the process named 'kcc' is executed with the argument 'copy_cred_cache'. A high risk score of 73 is assigned to this rule, indicating its significance in threat detection. The rule requires data from Elastic Defend, which integrates with the Elastic Agent for monitoring events on endpoints. It includes prerequisites for setting up the Elastic Defend integration and outlines potential investigation steps for analyzing detected alerts. Proper investigation may involve reviewing alert details, user accounts associated with the process, network connections, and analyzing logs for broader attack patterns. Additionally, the rule provides guidance on false positive analyses and response actions to take in the event of detection, such as isolating affected systems and auditing Kerberos ticket caches.