Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1445: Analytic 1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.

EnterpriseAN1445AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant where macOS systems participate in Kerberos-based authentication. Its decision value is in validating whether the organization can see suspicious ticket-use patterns, such as potential forged or replayed Kerberos tickets, through macOS Unified Logs and authentication-sequence correlation. For leaders, the key issue is not the analytic name itself, but whether identity abuse on macOS endpoints would produce evidence the SOC can collect, retain, and investigate quickly.

Executive priority

Prioritize this as an identity and endpoint visibility question for macOS environments that rely on Kerberos. Executives and security leaders should ask whether authentication monitoring includes macOS Unified Logs, whether SOC workflows can correlate kinit/klist activity with broader login context, and whether incident responders have enough retained evidence to distinguish abnormal ticket behavior from legitimate administrative or user activity. This supports operational resilience, incident decision-making, and audit evidence around identity monitoring controls.

Technical view

ATT&CK describes this detection analytic as monitoring macOS Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences to detect attempts to forge or replay Kerberos tickets. SOC and detection engineering teams should validate that macOS Unified Logs are collected from relevant endpoints, that kinit and klist activity is parsed or searchable, and that authentication events can be correlated over time and across hosts/users. Because no tactics, relationships, or detailed detection logic are supplied, local baselining is required to define what constitutes unusual sequencing in the environment.

Likely telemetry

  • macOS Unified Logs from Kerberos-capable endpoints
  • Command or process activity related to kinit and klist where available
  • Authentication event timing and sequence data
  • User, host, and account context associated with Kerberos activity
  • Log retention sufficient to compare current authentication behavior with recent historical patterns

Detection direction

  • Confirm that macOS Unified Logs are actually collected, normalized, retained, and available to the SOC for relevant systems.
  • Validate visibility into kinit/klist activity and whether it can be correlated with user, host, and authentication context.
  • Baseline legitimate Kerberos usage on macOS to reduce false positives from normal administrative, troubleshooting, or application-driven authentication activity.
  • Look for unusual authentication sequences rather than isolated events, since the supplied analytic emphasizes correlation.
  • Document blind spots where macOS systems are not enrolled, Unified Logs are not forwarded, or authentication context is fragmented across tools.

Mitigation priorities

  • Ensure macOS endpoint logging and centralized collection are in place before relying on this analytic operationally.
  • Strengthen identity monitoring processes around Kerberos authentication, including investigation procedures for suspicious ticket activity.
  • Review access, account hygiene, and administrative practices for users and systems that rely on Kerberos.
  • Align incident response playbooks so analysts know how to triage anomalous kinit/klist activity and preserve relevant logs.
  • Use detection validation exercises to confirm the SOC can correlate endpoint and authentication evidence without assuming coverage.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique or procedure. It is scoped to macOS and describes detection intent at a high level: monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences. No relationship context, tactic mapping, or official detection logic was provided, so the strongest use is as a validation prompt for macOS Kerberos telemetry and SOC correlation capability.

This take is limited to the official STIX fields, external reference, and the absence of supplied relationships. It does not establish active exploitation, adversary attribution, business exposure, or guaranteed detection. Local Kerberos architecture, macOS fleet coverage, log configuration, retention, and normal administrative behavior are required to determine practical risk and detection quality.

Official MITRE ATT&CK definition

Analytic 1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2e0c1934146d4d5f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2e0c1934146d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1445
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use