This analytic rule detects the use of Mimikatz command line parameters associated with pass-the-ticket (PTT) attacks by analyzing command-line patterns leveraged during Kerberos ticket manipulation. Mimikatz, a well-known post-exploitation tool, can manipulate Kerberos tickets to facilitate lateral movement within a network, allowing attackers to bypass common access controls and thereby escalate privileges, access sensitive information, and maintain persistence. This detection rule gathers data primarily from Endpoint Detection and Response (EDR) solutions, focusing on specific command patterns related to Mimikatz's ticket manipulation features such as 'sekurlsa::tickets /export' and 'kerberos::ptt'. The effectiveness of this detection relies on comprehensive log ingestion from EDR agents, which must include detailed telemetry about process activities on endpoints.