This detection rule identifies the creation of .kirbi files, which are linked to Kerberos ticket dumping activities commonly associated with credential access attacks. Attackers may utilize tools like Mimikatz to generate these files, enabling techniques such as Pass-The-Ticket (PTT). The rule inspects file creation events specifically on Windows machines, focusing on events where a file with the .kirbi extension is created, thus serving as an early warning for potential malicious behavior. The underlying data sources include various endpoint and Windows logs, such as Sysmon operational logs and those from integrated security solutions like SentinelOne and Microsoft Defender for Endpoint. The rule has a high-risk score of 73 and is classified under the Credential Access tactic in the MITRE ATT&CK framework. Proper investigation steps are recommended should this rule trigger an alert, including user account validation, log examination, and examination of associated processes, to help ascertain the legitimacy of the file creation event. In case of a confirmed breach, it is advised to isolate the affected system and conduct comprehensive incident response measures.