Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
When preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)
A Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)
A Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)
Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provide protection from adversaries that may possibly use stolen Kerberos tickets. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1550.003 | Pass the Ticket | |
| CM-06 | Configuration Settings | mitigates | T1550.003 | Pass the Ticket | |
| CM-05 | Access Restrictions for Change | mitigates | T1550.003 | Pass the Ticket | |
| IA-05 | Authenticator Management | mitigates | T1550.003 | Pass the Ticket | |
| CM-02 | Baseline Configuration | mitigates | T1550.003 | Pass the Ticket | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1550.003 | Pass the Ticket | |
| SI-04 | System Monitoring | mitigates | T1550.003 | Pass the Ticket | |
| AC-02 | Account Management | mitigates | T1550.003 | Pass the Ticket | |
| AC-03 | Access Enforcement | mitigates | T1550.003 | Pass the Ticket | |
| AC-05 | Separation of Duties | mitigates | T1550.003 | Pass the Ticket | |
| AC-06 | Least Privilege | mitigates | T1550.003 | Pass the Ticket |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1550.003 | Pass the Ticket |