Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0675: Analytic 0675

Detects forged Kerberos Silver Tickets by identifying anomalous Kerberos service ticket activity such as malformed fields in logon events, TGS requests without interaction with the KDC, and access attempts using service accounts outside expected hosts/resources. Also monitors suspicious processes accessing LSASS memory for credential dumping.

EnterpriseAN0675AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0675 is a Windows-focused detection analytic for signs that Kerberos service tickets may have been forged, commonly framed as Silver Ticket activity. Its business value is that forged service tickets can undermine trust in domain authentication and allow access to services without normal Kerberos validation paths. For leaders, the key question is not just whether a rule exists, but whether Windows logon, Kerberos service-ticket, service-account usage, and LSASS access telemetry are collected well enough to support investigation.

Executive priority

Prioritize this analytic where Active Directory-backed Windows services are material to business operations. It supports resilience and audit readiness by testing whether the organization can recognize abnormal service-ticket use, misuse of service accounts outside expected hosts or resources, and possible credential-dumping precursor behavior. This is especially relevant for incident response decision-making because weak Kerberos visibility can delay confirmation of identity compromise and lateral access.

Technical view

SOC and detection engineering teams should validate visibility for anomalous Kerberos service ticket activity on Windows, including malformed fields in logon events, TGS-related activity that does not show expected KDC interaction, and service-account access attempts from unexpected hosts or to unexpected resources. The analytic also points to monitoring suspicious process access to LSASS memory as related credential-theft context. Because no official detection logic is supplied, teams must map this behavior to their available Windows security events, Kerberos telemetry, endpoint process telemetry, and service-account baselines.

Likely telemetry

  • Windows logon events with Kerberos-related fields
  • Kerberos service ticket / TGS request telemetry
  • Evidence of whether expected KDC interaction occurred
  • Service-account authentication and resource-access records
  • Host and resource baselines for where service accounts are expected to be used

Detection direction

  • Confirm Windows Kerberos and logon telemetry is centrally collected and retained long enough for incident response.
  • Baseline normal service-account host and resource usage before alerting on out-of-pattern access.
  • Correlate anomalous service-ticket activity with endpoint evidence of suspicious LSASS memory access where available.
  • Tune for known administrative tools, backup agents, service platforms, and scheduled tasks that legitimately use service accounts across hosts.
  • Treat missing KDC interaction or malformed Kerberos/logon fields as investigation leads, not standalone proof, because the official object does not provide rule logic or thresholds.

Mitigation priorities

  • Inventory service accounts and document expected hosts, services, and resources for each account.
  • Restrict service-account use to expected systems and remove unnecessary access paths where operationally feasible.
  • Reduce credential exposure on Windows endpoints by controlling and monitoring process access to LSASS.
  • Ensure Kerberos, Windows logon, endpoint process, and service-account activity logs are available to the SOC and incident responders.
  • Use this analytic as a validation point in identity security, incident response, and compliance evidence reviews for Active Directory environments.
Analyst notes and limits

The object is a detection analytic, not a technique or procedure description. It is explicitly scoped to Windows and describes detection themes for forged Kerberos Silver Tickets, abnormal service-ticket activity, unexpected service-account usage, and suspicious LSASS access. No ATT&CK tactics, relationships, or official detection query are supplied, so implementation depends on local logging, directory architecture, and service-account baselines.

No official detection logic, data-source list, tactics, or relationship context was supplied. This take does not assert active exploitation, actor attribution, guaranteed detection, or coverage beyond Windows. Local validation is required to determine whether the necessary Kerberos, logon, service-account, and endpoint process telemetry exists.

Official MITRE ATT&CK definition

Analytic 0675

Detects forged Kerberos Silver Tickets by identifying anomalous Kerberos service ticket activity such as malformed fields in logon events, TGS requests without interaction with the KDC, and access attempts using service accounts outside expected hosts/resources. Also monitors suspicious processes accessing LSASS memory for credential dumping.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e07d94840c4c0552...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e07d94840c4c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0675
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use