Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
In this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)
Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)
Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1550.003 | Pass the Ticket | |
| AC-3 | Access Enforcement | Protects | T1550.003 | Pass the Ticket | |
| AC-5 | Separation of Duties | Protects | T1550.003 | Pass the Ticket | |
| AC-6 | Least Privilege | Protects | T1550.003 | Pass the Ticket | |
| CA-7 | Continuous Monitoring | Protects | T1550.003 | Pass the Ticket | |
| CM-2 | Baseline Configuration | Protects | T1550.003 | Pass the Ticket | |
| CM-5 | Access Restrictions for Change | Protects | T1550.003 | Pass the Ticket | |
| CM-6 | Configuration Settings | Protects | T1550.003 | Pass the Ticket | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1550.003 | Pass the Ticket | |
| IA-5 | Authenticator Management | Protects | T1550.003 | Pass the Ticket | |
| SI-4 | System Monitoring | Protects | T1550.003 | Pass the Ticket |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1550.003 | Pass the Ticket |
Comments
This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1550.003 | Pass the Ticket |
Comments
This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.
References
|