AN0070: Analytic 0070

Detects abnormal interaction with memory-based Kerberos ccache (API:{uuid}) or file-based overrides. Focus on processes attempting to enumerate or extract Kerberos tickets outside of built-in utilities. Detects use of open-source tools (e.g., Bifrost, modified Mimikatz ports) that interact with the Kerberos framework APIs.

EnterpriseAN0070AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN0070 is a macOS detection analytic focused on abnormal access to Kerberos credential cache material, including memory-based Kerberos ccache APIs and file-based overrides. Its business significance is identity risk: if non-standard processes can enumerate or extract Kerberos tickets, an incident may shift from a single endpoint issue to an authentication and access-control problem requiring faster identity-led response.

Executive priority

Prioritize this analytic where macOS systems use Kerberos-backed authentication or have access to sensitive business services. Leaders should ask whether SOC and incident response teams can distinguish legitimate Kerberos utilities from unusual ticket access, whether macOS endpoint telemetry is retained long enough for investigation, and whether identity evidence is available to support audit, containment, and access review decisions.

Technical view

For SOC and detection engineering, validate monitoring for macOS processes interacting with Kerberos ccache through memory-based APIs or file-based override behavior. The analytic specifically calls out processes attempting to enumerate or extract Kerberos tickets outside built-in utilities and references open-source tooling such as Bifrost and modified Mimikatz ports as examples of tool classes that may interact with Kerberos framework APIs. Because no official detection logic is provided, teams must define local baselines for legitimate Kerberos access and test alerting against abnormal process behavior without assuming coverage from ATT&CK alone.

Likely telemetry

macOS endpoint process execution telemetry
macOS process-to-API or security framework interaction telemetry where available
File access or configuration-change telemetry related to Kerberos ccache and file-based overrides
Command-line and parent-child process context for utilities interacting with Kerberos
Identity and authentication logs that can correlate ticket-related activity with account access

Detection direction

Baseline expected macOS Kerberos activity from built-in utilities before alerting on all ccache access.
Flag non-standard processes attempting to enumerate, open, or extract Kerberos ticket material, especially where parent process, path, signing status, or command-line context is unusual.
Correlate endpoint Kerberos-ticket access with identity events to determine whether the activity is administrative, user-driven, or suspicious.
Tune for false positives from legitimate enterprise authentication tools, management agents, developer workflows, or troubleshooting utilities that may touch Kerberos components.
Document blind spots where endpoint tooling cannot observe memory-based Kerberos API interaction or file-based override access.

Mitigation priorities

Confirm macOS endpoint telemetry coverage for process execution, relevant file access, and Kerberos-related activity before relying on this analytic.
Restrict and monitor administrative access to macOS systems that can obtain Kerberos tickets for sensitive services.
Harden identity response procedures so suspected ticket access triggers account review, session validation, and containment decisions.
Maintain an approved list of built-in and enterprise-approved Kerberos utilities to support triage and reduce false positives.
Use findings from validation to update SOC runbooks, compliance evidence, and incident response escalation paths for identity-related endpoint events.

Analyst notes and limits

This object is a detection analytic, not a technique. It is scoped to macOS and describes abnormal interaction with Kerberos ccache mechanisms, including memory-based API access and file-based overrides. No tactics, relationships, or official detection query are supplied, so implementation depends on local telemetry capabilities and environment baselines.

The supplied ATT&CK fields do not include detection logic, data sources, mitigations, tactics, related techniques, or relationship context. This take therefore avoids claims about exploitation, attribution, prevalence, or guaranteed detection and requires local validation before operational use.

Official MITRE ATT&CK definition

Analytic 0070

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: b8e12706561f543f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`b8e12706561f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0070
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use