Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
When preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)
A Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)
A Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)
Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provide protection from adversaries that may possibly use stolen Kerberos tickets. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1550.003 | Pass the Ticket | |
| CM-06 | Configuration Settings | mitigates | T1550.003 | Pass the Ticket | |
| CM-05 | Access Restrictions for Change | mitigates | T1550.003 | Pass the Ticket | |
| IA-05 | Authenticator Management | mitigates | T1550.003 | Pass the Ticket | |
| CM-02 | Baseline Configuration | mitigates | T1550.003 | Pass the Ticket | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1550.003 | Pass the Ticket | |
| SI-04 | System Monitoring | mitigates | T1550.003 | Pass the Ticket | |
| AC-02 | Account Management | mitigates | T1550.003 | Pass the Ticket | |
| AC-03 | Access Enforcement | mitigates | T1550.003 | Pass the Ticket | |
| AC-05 | Separation of Duties | mitigates | T1550.003 | Pass the Ticket | |
| AC-06 | Least Privilege | mitigates | T1550.003 | Pass the Ticket |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1550.003 | Pass the Ticket |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1550.003 | Pass the Ticket |
Comments
This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1550.003 | Pass the Ticket |
Comments
This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1550.003 | Pass the Ticket |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|