Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1000: Analytic 1000

Detects unauthorized Kerberos ticket injection by correlating service ticket (TGS - 4769) requests with absent corresponding account logons (4624) and prior Ticket Granting Ticket (TGT - 4768) activity. Highlights anomalous service ticket generation chains involving unexpected users, hosts, or times, and suspicious injection of tickets via mimikatz-like tooling into LSASS memory. Behavior also includes network lateral movement using Kerberos authentication absent expected interactive logon patterns.

EnterpriseAN1000AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Kerberos ticket injection can let an attacker use Windows domain authentication in ways that do not look like a normal user logon. For executives and security leaders, the practical issue is whether the organization can prove that service ticket use matches expected account logon and TGT activity. If it cannot, lateral movement and unauthorized access may be harder to distinguish from legitimate domain activity.

Executive priority

Prioritize this as an Active Directory and SOC visibility validation item. The business decision is not simply whether Kerberos is monitored, but whether identity telemetry is correlated across domain controller events and endpoint activity well enough to support incident response, audit evidence, and lateral movement investigations. Leaders should ask whether Windows authentication logs are retained, normalized, and investigated for mismatched TGS, TGT, and logon patterns.

Technical view

For Windows environments, validate correlation across Kerberos service ticket requests, account logons, and prior TGT activity. The supplied analytic specifically references Windows event IDs 4769 for TGS requests, 4624 for account logons, and 4768 for TGT activity. SOC teams should look for service ticket generation chains where the expected account logon context is absent, or where users, hosts, or times are inconsistent with normal authentication behavior. IR teams should treat suspicious findings as identity and lateral movement leads, especially where Kerberos authentication appears without expected interactive logon patterns.

Likely telemetry

  • Windows Security event logs from domain controllers, especially Kerberos TGS request events such as 4769
  • Windows Security account logon events such as 4624 from relevant hosts and domain infrastructure
  • Kerberos TGT activity such as event 4768
  • Host and user context needed to compare expected users, systems, and authentication times
  • Endpoint evidence that may support investigation of suspicious LSASS memory interaction, where available

Detection direction

  • Validate that event IDs 4769, 4768, and 4624 are collected with enough retention and fidelity to correlate user, host, service, and time relationships.
  • Tune detections around mismatched chains: TGS activity without corresponding logon activity, unexpected users or hosts, unusual timing, or Kerberos authentication patterns inconsistent with normal access.
  • Expect false positives from incomplete log collection, delayed ingestion, service accounts, scheduled tasks, and legitimate non-interactive authentication patterns; document local baselines before escalating every mismatch.
  • Confirm whether endpoint visibility can support follow-up when ticket injection into LSASS memory is suspected, without assuming that Windows event logs alone prove tooling or intent.
  • Because no ATT&CK relationships were supplied, do not infer coverage against a specific technique beyond the behavior described in this analytic.

Mitigation priorities

  • First, ensure domain controller and Windows authentication logging is enabled, centralized, retained, and usable for correlation.
  • Second, establish baselines for normal Kerberos authentication by user, host, service, and time to reduce blind spots and false positives.
  • Third, strengthen SOC playbooks so suspicious Kerberos ticket chains trigger identity investigation, endpoint triage, and lateral movement scoping.
  • Fourth, review privileged and service account authentication patterns, because unusual Kerberos activity is most decision-relevant when tied to high-value identities or systems.
  • Finally, use findings to support compliance evidence around identity monitoring and incident response readiness, rather than treating this as a standalone alert rule.
Analyst notes and limits

This object is a detection analytic, not a technique description. The official description gives useful correlation logic, but the official detection field is not provided and no relationship context was supplied. Local Active Directory architecture, log retention, endpoint coverage, and service account behavior will determine how actionable this analytic is.

The source only supports Windows platform coverage and the described Kerberos event correlation. It does not provide tactics, related ATT&CK techniques, specific query logic, mitigations, prevalence, attribution, or evidence of active exploitation. Any implementation must be validated against local telemetry and authentication patterns.

Official MITRE ATT&CK definition

Analytic 1000

Detects unauthorized Kerberos ticket injection by correlating service ticket (TGS - 4769) requests with absent corresponding account logons (4624) and prior Ticket Granting Ticket (TGT - 4768) activity. Highlights anomalous service ticket generation chains involving unexpected users, hosts, or times, and suspicious injection of tickets via mimikatz-like tooling into LSASS memory. Behavior also includes network lateral movement using Kerberos authentication absent expected interactive logon patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
42c090417c51ceb2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 42c090417c51…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1000
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use