Pass-the-Ticket
Pass-the-ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g. file shares and other computers) as a user without compromising that user’s password. This technique is often used by adversaries to move laterally through an organization’s network while hunting for opportunities to escalate privileges or fulfill their mission.
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.
Threat Summary
Target:
Active Directory
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detect:
Medium
Mitigate:
Hard
Respond:
Medium
How Pass-the-Ticket Works
Hover to see each step
Detect, Mitigate, and Respond
Difficulty: Medium
Endpoints and Active Directory are both sources of signals indicating active use of pass-the-ticket in an environment.
Detection on the endpoint is accomplished by:
- Detecting the hooking of
LSASS.exe
for retrieving or injecting Kerberos tickets. Many Endpoint Detection and Response solutions are capable of this; or, - Analyzing logged-on sessions for a username mismatch in the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.
Detection in Active Directory can be accomplished by collecting and correlating several Kerberos event types:
- Develop a ledger of when a ticket-granting ticket was issued to a user and on which endpoint. Auditing of A Kerberos Authentication Ticket (TGT) was requested (Event ID 4768) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to obtain these data points.
- Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. Auditing of A Kerberos Service Ticket was requested (Event ID 4769) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to perform this analysis.
The volume of these events in all but the smallest environments is substantial, which makes manual analysis impractical. As a result, real-time, machine-driven detection is preferred. It is also not possible to detect the theft and use of a single service ticket (TGS) within Active Directory.
Difficulty: Hard
While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Difficulty: Medium
Should the use of pass-the-ticket be detected, there are several actions one can take to immediately respond:
- Reset the compromised user’s password, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
- Reset the password for all users who have logged on to an impacted machine.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
- Activate the incident response process and alert the response team.