Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
When preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)
A Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)
A Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)
Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, Credential Guard | T1550.003 | Pass the Ticket |
Comments
Credential Guard uses Intel VT-x for providing Virtualization-based security (VBS), to isolate secrets so that only privileged system software can access them. It isolates LSA-related processes and provides real-time protection against in-memory credential-stealing attempts. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot (Intel PTT and Intel Boot Guard) and virtualization, to protect credentials.
Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications such as domain credentials. However, it does not protect against all forms of credential dumping, such as registry dumping. Credential Guard benefits from enabling Secure Boot (BootGuard) and UEFI Lock. When Secure Boot is enabled, a secure and verified environment is established from the start of the boot process. With UEFI Lock, Credential Guard settings are stored in UEFI firmware, significantly increasing the difficulty of disabling Credential Guard through registry changes.
This is marked as significant since it uses VBS to isolate LSA related processes and provide real-time protection against in-memory credential stealing attempts.
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1550.003 | Pass the Ticket |
Comments
Intel Threat Detection Technology (TDT) combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS) enhances cybersecurity defenses by enabling faster, real-time detection of Pass-the-Ticket (PTT) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system impact.
Pass-the-Ticket (PTT) attacks involve attackers stealing and reusing Kerberos authentication tickets to gain unauthorized access to network resources. These attacks bypass traditional authentication mechanisms, making them a powerful tool for lateral movement within a network. Intel TDT plays a critical role in identifying these threats by providing deep, real-time detection of program execution, memory access, and control flow at the hardware level. This telemetry allows security teams to quickly detect abnormal behaviors, such as suspicious use of Kerberos tickets or unauthorized interactions with authentication processes, which are indicative of PTT activity.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster, more efficient detection of malicious activity without compromising system performance. CAMS is capable of identifying and preventing suspicious behavior, such as the running of executables masquerading as legitimate files, or the execution of potentially malicious code involved in PTT attacks.
By combining Intel TDT’s real-time telemetry with AMS’s advanced memory scanning capabilities, this solution provides a powerful defense against evasive Pass-the-Ticket attacks.
References
|