AN0405: Analytic 0405

Detects forged Kerberos Golden Tickets by correlating anomalous Kerberos ticket lifetimes, unexpected encryption types (e.g., RC4 in modern domains), malformed fields in logon/logoff events, and TGS requests without preceding TGT requests. Also monitors for abnormal patterns of access associated with elevated privileges across multiple systems.

EnterpriseAN0405AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because forged Kerberos Golden Tickets can undermine the trust model of a Windows domain: if attackers can present forged tickets, they may appear as valid privileged users across multiple systems. For leaders, the key decision is whether the organization has enough Kerberos and Windows logon visibility to distinguish normal authentication from abnormal ticket lifetimes, legacy encryption use, malformed logon fields, or service ticket activity that does not line up with expected ticket-granting behavior.

Executive priority

Prioritize this as an identity and business-resilience control validation item for Windows environments using Kerberos. The business question is not simply whether a rule exists, but whether SOC and IR teams can prove they collect and correlate the authentication evidence needed to investigate forged-ticket activity. This supports incident decision-making, privileged-access assurance, audit evidence around identity monitoring, and budget prioritization for Windows domain logging and detection engineering.

Technical view

For SOC and detection teams, validate correlation logic around Windows Kerberos behavior described by AN0405: anomalous Kerberos ticket lifetimes, unexpected encryption types such as RC4 in modern domains, malformed fields in logon/logoff events, TGS requests without preceding TGT requests, and unusual elevated-privilege access patterns across multiple systems. Because no official detection implementation is supplied, teams should treat this as a detection-engineering requirement rather than a ready-to-deploy rule. Tune against local Kerberos policy, domain functional expectations, encryption standards, and known administrative workflows.

Likely telemetry

Windows Kerberos authentication events related to TGT and TGS activity
Windows logon and logoff events
Kerberos ticket lifetime and encryption-type details where available
Privileged account access activity across multiple Windows systems
Correlation data linking ticket requests, logon sessions, accounts, hosts, and services

Detection direction

Confirm that Kerberos TGT and TGS activity can be correlated by account, host, time, and service; gaps here will limit the value of the analytic.
Baseline expected ticket lifetimes and encryption types for the Windows domain before treating deviations as high confidence.
Review RC4 or other unexpected encryption-type usage carefully, accounting for legacy systems or compatibility exceptions that may create false positives.
Look for TGS requests without a preceding TGT request in the available telemetry, while validating whether log retention, collection delays, or missing domain controller logs could explain the sequence.
Correlate anomalous ticket indicators with elevated access across multiple systems to improve triage quality and reduce isolated-event noise.

Mitigation priorities

First, ensure Windows domain authentication telemetry is collected centrally and retained long enough for correlation and incident response.
Next, validate Kerberos policy expectations, including ticket lifetime and encryption standards, so detection logic has an accurate baseline.
Then, reduce unnecessary legacy encryption exposure where business-compatible, especially where modern domain expectations make RC4 unusual.
Strengthen privileged account monitoring and review abnormal elevated access across multiple systems.
Use tabletop or detection-validation exercises to confirm SOC and IR teams can investigate suspected forged-ticket activity from available evidence.

Analyst notes and limits

AN0405 is a detection analytic for Windows focused on forged Kerberos Golden Ticket detection. The supplied ATT&CK object provides a useful behavioral description but no official detection logic, no tactics, and no relationship context. Glexia would treat this as a high-value identity detection validation theme rather than a complete rule specification.

This take is limited to the supplied STIX fields and external reference. No active exploitation, attribution, affected customer exposure, or guaranteed detection coverage is implied. Local domain configuration, encryption policy, logging scope, and retention determine whether the described analytic can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 0405

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 10bcf974a6c244bf...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`10bcf974a6c2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0405
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use