Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0444: Analytic 0444

Detects Kerberoasting attempts by monitoring for anomalous Kerberos TGS requests (Event ID 4769) with RC4 encryption (etype 0x17), accounts requesting an unusual number of service tickets in a short period, or service accounts targeted outside normal usage baselines. Also correlates suspicious process activity (e.g., Mimikatz invoking LSASS access) with Kerberos ticket anomalies.

EnterpriseAN0444AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Kerberoasting-style activity can turn normal Windows Kerberos service ticket requests into a credential risk for privileged or business-critical service accounts. For leaders, the value is not simply detecting one tool or event ID; it is validating whether the organization can see abnormal service ticket request patterns, weak RC4 ticket usage, and related suspicious process activity before compromised credentials affect continuity or incident response scope.

Executive priority

Prioritize this as an identity and SOC readiness question for Windows environments: do teams have reliable domain controller security logs, baselines for normal service ticket use, and a process for investigating unusual access to service accounts? The business decision is whether existing logging, detection engineering, and service account governance provide enough evidence to support rapid containment, audit defensibility, and credential risk reduction.

Technical view

ATT&CK describes AN0444 as a Windows detection analytic for Kerberoasting attempts using Kerberos TGS request monitoring, especially Windows Security Event ID 4769 with RC4 encryption type 0x17, unusual volumes of service ticket requests over a short period, service accounts targeted outside normal baselines, and correlation with suspicious process activity such as LSASS access associated with Mimikatz-like behavior. SOC and detection teams should validate domain controller logging, normalize 4769 fields, baseline service principal usage, and correlate ticket anomalies with endpoint process telemetry where available. No ATT&CK tactic or relationship context was supplied, so implementation should be tied to local identity architecture and known service account patterns.

Likely telemetry

  • Windows Security Event ID 4769 from domain controllers
  • Kerberos TGS request fields, including encryption type and requested service account or SPN context
  • Counts and timing of service ticket requests by requesting account and source host
  • Baselines for normal service account and service ticket usage
  • Endpoint process telemetry showing suspicious LSASS access or credential-tool-like behavior, where collected

Detection direction

  • Validate that Event ID 4769 is collected from relevant Windows domain controllers and retained long enough for investigation.
  • Tune for RC4 encryption type 0x17 in TGS requests, while accounting for legitimate legacy dependencies that may create false positives.
  • Create baselines for normal service ticket request volume by account, source, service account, and time window; alert on unusual spikes rather than single events alone.
  • Identify service accounts targeted outside normal usage patterns, especially where the requester, source host, or service account relationship is unexpected.
  • Correlate Kerberos ticket anomalies with endpoint evidence of suspicious LSASS access when endpoint telemetry is available.

Mitigation priorities

  • Inventory and govern Windows service accounts and their expected usage patterns so anomalies can be interpreted quickly.
  • Reduce reliance on weak or legacy Kerberos encryption where operationally feasible, with attention to RC4 usage identified by the analytic.
  • Ensure domain controller security logging and centralized collection support Event ID 4769 analysis.
  • Strengthen incident response playbooks for suspected service account credential exposure, including account owner validation and containment decision points.
  • Use findings from this analytic to prioritize service account hardening and detection engineering rather than treating the alert as a standalone indicator.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. It provides a clear Windows-focused analytic concept for Kerberos TGS anomalies and suspicious process correlation, but no official detection field, tactics, aliases, labels, or relationship context were supplied. Local baselines are essential because high service ticket volume and RC4 usage may be legitimate in some environments.

This take is limited to the supplied ATT&CK fields and external reference for AN0444. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Applicability outside Windows is not supported by the supplied platform field. Detection quality depends on local log collection, Kerberos configuration, endpoint telemetry, and service account context.

Official MITRE ATT&CK definition

Analytic 0444

Detects Kerberoasting attempts by monitoring for anomalous Kerberos TGS requests (Event ID 4769) with RC4 encryption (etype 0x17), accounts requesting an unusual number of service tickets in a short period, or service accounts targeted outside normal usage baselines. Also correlates suspicious process activity (e.g., Mimikatz invoking LSASS access) with Kerberos ticket anomalies.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8e0a2c995813f60e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8e0a2c995813…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0444
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use