AN1443: Analytic 1443
Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.
Analyst context for executives and security teams
AN1443 is a Windows detection analytic focused on suspicious Kerberos activity that can indicate forged, stolen, or improperly requested tickets, plus process access to LSASS that may support ticket extraction. For leaders, the value is not just “detect Kerberos abuse,” but validating whether identity telemetry is strong enough to spot attacks that can bypass normal password-based controls and enable lateral movement using trusted authentication artifacts.
Executive priority
Prioritize this analytic where Windows Active Directory and Kerberos are material to business operations. It supports identity security, SOC readiness, incident response scoping, and audit evidence by testing whether teams can correlate Kerberos ticket anomalies with endpoint behavior such as LSASS access. The key executive question is whether authentication logs and endpoint telemetry are collected, retained, and correlated well enough to investigate suspected ticket theft or forgery before it becomes a broader operational incident.
Technical view
For SOC and detection engineering teams, validate coverage on Windows for the behaviors named in the official description: malformed fields in logon events, RC4-encrypted TGTs, TGS requests without corresponding TGT requests, and suspicious process access to LSASS memory. Because no official detection logic is provided, implementation should be treated as a local engineering task requiring baseline-aware correlation across domain controller authentication events and endpoint process/memory-access telemetry.
Likely telemetry
- Windows logon and authentication events
- Domain controller Kerberos TGT request telemetry
- Domain controller Kerberos TGS request telemetry
- Kerberos encryption type details, including RC4 usage
- Fields in logon events that may indicate malformed or anomalous ticket data
Detection direction
- Confirm that Kerberos TGT and TGS request events are collected from relevant Windows domain controllers and can be correlated by account, host, time, and ticket-related fields.
- Validate whether RC4-encrypted TGT activity is expected in the environment before treating it as suspicious; legacy systems may create false positives.
- Look for TGS requests without corresponding TGT requests, but tune for log gaps, retention differences, domain controller coverage gaps, and time synchronization issues.
- Correlate Kerberos anomalies with endpoint evidence of suspicious LSASS memory access to increase confidence.
- Document blind spots where endpoint telemetry, domain controller logs, or field-level Kerberos details are missing.
Mitigation priorities
- Strengthen collection and retention of Windows authentication and Kerberos telemetry from domain controllers.
- Ensure endpoint monitoring can identify unusual process access to LSASS memory.
- Reduce unnecessary legacy Kerberos configurations where feasible, especially where RC4 use is not business-required.
- Create incident response procedures for suspected Kerberos ticket theft or forgery, including identity containment and affected-host investigation.
- Use detection validation exercises to prove that SOC workflows can correlate authentication anomalies with endpoint activity.
Analyst notes and limits
This object is a detection analytic, not a technique. It provides a useful behavioral description but no ATT&CK tactic, relationship context, or official detection query. The practical value is in using the description as a validation target for identity-focused detection engineering across Windows Kerberos and LSASS-related endpoint telemetry.
The supplied ATT&CK fields do not include official detection logic, related techniques, adversary relationships, mitigations, or procedure examples. Any production rule, severity model, or response playbook must be based on local Active Directory architecture, logging coverage, endpoint controls, and known legitimate Kerberos behavior.
Analytic 1443
Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 18dfde34d23b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1443Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.