Lateral Movement: Pass the ticket attack

  • Home
  • Lateral Movement: Pass the ticket attack

Pass-the-ticket is an authentication exploit which involves using stolen Kerberos tickets to authenticate to a domain without the account’s password. Also known as the forged ticket attack, it is one of the common and effective techniques to move laterally within a network.

The valid Kerberos tickets can be extracted from the lsass memory on a system. Depending on the level of access in a system, the attacker can get hold of the user’s service tickets or ticket granting ticket (TGT) . While the TGT can be used to get the required service tickets from the Ticket Granting Server, the service tickets are the actual key to access specific critical server or service in the network.

The two popular exploits in this technique are Silver ticket and Golden ticket. Silver Tickets are used to generate service tickets to access a particular service like MS SQL and the system that hosts the service . Golden tickets on the other hand, are used to generate TGTs for any account in Active Directory.

Forging Silver and Golden tickets

When the attacker steals the NTLM hash of a user account, they can forge silver tickets for all the services to which the user account has access.

On the other hand, if the attacker successfully steals the NTLM hash of the KRBTGT account —service account of the Key Distribution Center (KDC), they can issue TGTs for any account in the domain. Golden ticket is the forged Key Distribution Center (KDC) rather than a ticket.

The various tools that can be used to carry out pass the ticket attack on Windows include mimikatz, rubeus, PSexec etc.

It's difficult to detect these attacks as the events look similar to any other normal authentication process. However, it isn't impossible.

Detecting Pass-the-ticket attack

You can monitor your network by auditing all Kerberos authentication events and reviewing for discrepancies. For example, to investigate pass-the-ticket attcak at endpoints, carry out the following steps:

  1. Check for the current logon sessions for that system.
  2. Inspect the Kerberos ticket associated with that session.
  3. Check for Kerberos tickets that do not match.

During legitimate authentication to the domain, the following event IDs can be found in this order:

  • 4768 – A Kerberos authentication ticket (TGT) was requested
  • 4769 – A Kerberos service ticket was requested
  • 4770 – A Kerberos service ticket was renewed

If a request is being made through golden ticket, no request for TGT would be made. This implies that any authentications that log onlyevent ID 4769 and event ID 4770 is an indication of the presence of a golden ticket.

ManageEngine Log360, a comprehensive SIEM solution can help you detect these attacks with its powerful correlation engine, real-time event response system, and log forensic analysis capabilities. The solution quickly detects the indicators of compromise associated with the pass-the-ticket attack. It further enriches the detection by correlating other relevant events and thereby accurately alerts you when this attack occurs. And that's not all. Log360 comes bundled with threat intelligence platform, user and entity behavior analytics, and a lot more.Explore the solution now

Products mentioned on this page:

Recently added chapters

     
 

Get the latest content delivered
right to your inbox!

 

Cyber Security - Knowledge Base

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.