Cyber Security » How-to

Lateral Movement: Pass the ticket attack

Quick search

    Pass-the-ticket is an authentication exploit which involves using stolen Kerberos tickets to authenticate to a domain without the account’s password. Also known as the forged ticket attack, it is one of the common and effective techniques to move laterally within a network.

    The valid Kerberos tickets can be extracted from the lsass memory on a system. Depending on the level of access in a system, the attacker can get hold of the user’s service tickets or ticket granting ticket (TGT) . While the TGT can be used to get the required service tickets from the Ticket Granting Server, the service tickets are the actual key to access specific critical server or service in the network.

    The two popular exploits in this technique are Silver ticket and Golden ticket. Silver Tickets are used to generate service tickets to access a particular service like MS SQL and the system that hosts the service . Golden tickets on the other hand, are used to generate TGTs for any account in Active Directory.

    Forging Silver and Golden tickets

    When the attacker steals the NTLM hash of a user account, they can forge silver tickets for all the services to which the user account has access.

    On the other hand, if the attacker successfully steals the NTLM hash of the KRBTGT account —service account of the Key Distribution Center (KDC), they can issue TGTs for any account in the domain. Golden ticket is the forged Key Distribution Center (KDC) rather than a ticket.

    The various tools that can be used to carry out pass the ticket attack on Windows include mimikatz, rubeus, PSexec etc.

    It's difficult to detect these attacks as the events look similar to any other normal authentication process. However, it isn't impossible.

    Detecting Pass-the-ticket attack

    You can monitor your network by auditing all Kerberos authentication events and reviewing for discrepancies. For example, to investigate pass-the-ticket attcak at endpoints, carry out the following steps:

    1. Check for the current logon sessions for that system.
    2. Inspect the Kerberos ticket associated with that session.
    3. Check for Kerberos tickets that do not match.

    During legitimate authentication to the domain, the following event IDs can be found in this order:

    • 4768 – A Kerberos authentication ticket (TGT) was requested
    • 4769 – A Kerberos service ticket was requested
    • 4770 – A Kerberos service ticket was renewed

    If a request is being made through golden ticket, no request for TGT would be made. This implies that any authentications that log onlyevent ID 4769 and event ID 4770 is an indication of the presence of a golden ticket.

    ManageEngine Log360, a comprehensive SIEM solution can help you detect these attacks with its powerful correlation engine, real-time event response system, and log forensic analysis capabilities. The solution quickly detects the indicators of compromise associated with the pass-the-ticket attack. It further enriches the detection by correlating other relevant events and thereby accurately alerts you when this attack occurs. And that's not all. Log360 comes bundled with threat intelligence platform, user and entity behavior analytics, and a lot more.Explore the solution now

    EventLog Analyzer

    EventLog Analyzer, a one-stop log management solution, collects, analyzes, correlates, and archives log data from you on-premises as well as cloud network. With its in-depth log analysis capability, EventLog Analyzer helps enterprises to thwart security threats in real-time, spot anomalous user behaviors, and manage security incidents effectively. Want to know how our solution helps you protect your cloud environment? Check out.

    Download now

    EventLog Analyzer Trusted By

    Los Alamos National Bank Michigan State University
    Panasonic Comcast
    Oklahoma State University IBM
    Accenture Bank of America
    Ernst Young

    Customer Speaks

    • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
      Benjamin Shumaker
      Vice President of IT / ISO
      Credit Union of Denver
    • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
      Joseph Graziano, MCSE CCA VCP
      Senior Network Engineer
    • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
      Joseph E. Veretto
      Operations Review Specialist
      Office of Information System
      Florida Department of Transportation
    • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
      Jim Lloyd
      Information Systems Manager
      First Mountain Bank

    Awards and Recognitions

    A Single Pane of Glass for Comprehensive Log Management

    © 2020 Zoho Corporation Pvt. Ltd. All rights reserved.