Pass the Ticket

Pass the Ticket [T1550.003]

Information

Name: Pass the Ticket
ID: T1550.003
Tactics: ,
Technique:

Introduction

Pass the Ticket (PtT) [T1550.003] is a sub-technique within the MITRE ATT&CK framework categorized under Credential Access. It involves adversaries stealing Kerberos tickets from compromised systems and using them to authenticate and move laterally within a Windows network environment. Rather than relying on plaintext passwords or hashes, attackers leverage valid Kerberos tickets, allowing them to impersonate legitimate users and evade some traditional detection mechanisms. PtT attacks are particularly effective in Active Directory environments and often exploited by sophisticated threat actors seeking persistence and lateral movement.

Deep Dive Into Technique

Pass the Ticket attacks exploit the Kerberos authentication protocol used by Active Directory domain environments. Kerberos authentication involves tickets issued by a Key Distribution Center (KDC) that authenticate users and services without sending passwords over the network.

Technical details and execution methods include:

Ticket Extraction: Attackers first compromise a host and extract Kerberos tickets from memory, typically using tools like Mimikatz, Rubeus, or Invoke-Mimikatz.
- Tickets extracted can be either:
  - Ticket Granting Ticket (TGT): Allows attackers to request additional service tickets.
  - Service Tickets: Allow attackers to directly access specific services or resources.
Ticket Reuse: Once extracted, attackers reuse these valid tickets on other systems without needing the user's password or hash.
- Typically involves importing tickets into attacker-controlled sessions using specialized tools.
- Attackers can impersonate users across multiple systems, enabling lateral movement, privilege escalation, and persistence.
Ticket Injection Techniques: Attackers commonly inject tickets into memory by:
- Using Mimikatz commands such as kerberos::ptt.
- Leveraging tools like Rubeus (Rubeus.exe ptt) to import tickets into current sessions.
- Employing PowerShell scripts to automate ticket injection and lateral movement.
Ticket Lifetime and Renewal: Kerberos tickets have a limited lifetime and renewal period. Attackers must manage timing carefully to maintain persistence or repeatedly extract fresh tickets.
Golden and Silver Tickets: PtT can be combined with advanced techniques such as Golden Tickets (forged TGTs) or Silver Tickets (forged service tickets), significantly increasing the scope and duration of compromise.

When this Technique is Usually Used

Pass the Ticket attacks are frequently utilized in various attack scenarios, including:

Initial Credential Access and Lateral Movement:
- Attackers who have gained initial access to a single compromised host use PtT to move laterally to other systems within the domain.
- Allows attackers to leverage legitimate authentication mechanisms rather than brute-force or noisy password guessing.
Privilege Escalation:
- Attackers use PtT to impersonate privileged accounts (such as domain admins) after extracting their tickets, enabling escalation of privileges.
Persistence and Stealth:
- Attackers reuse valid tickets to maintain long-term persistence without needing to repeatedly compromise credentials.
- PtT helps attackers blend into normal Kerberos traffic, making detection challenging.
Advanced Persistent Threat (APT) Campaigns:
- Sophisticated adversaries, including state-sponsored actors, frequently employ PtT attacks due to their stealth, reliability, and effectiveness in complex Active Directory environments.
Post-Exploitation Phases:
- Commonly employed after initial compromise and reconnaissance phases, enabling attackers to pivot and escalate privileges within a targeted network.

How this Technique is Usually Detected

Detecting Pass the Ticket attacks requires a combination of log analysis, behavioral monitoring, and specialized tools. Effective detection methods include:

Event Log Monitoring:
- Monitor Windows Event Logs, particularly Security Event Logs, for suspicious Kerberos-related events, such as:
  - Event ID 4769 (Kerberos Service Ticket Operations).
  - Event ID 4768 (Kerberos Authentication Ticket Operations).
  - Event ID 4770 (Kerberos Service Ticket Renewal Requests).
Behavioral Analysis and Anomaly Detection:
- Identify unusual patterns in Kerberos ticket usage, such as:
  - Unexpected ticket requests from unusual source IP addresses.
  - Ticket reuse across multiple systems or abnormal usage patterns.
  - Tickets associated with high-value accounts being used from uncommon hosts or at unusual times.
Endpoint Detection and Response (EDR) Solutions:
- Tools like CrowdStrike Falcon, Microsoft Defender for Endpoint, or Carbon Black detect suspicious memory injection activities and known PtT tools (e.g., Mimikatz, Rubeus).
- EDR agents identify suspicious memory operations, credential dumping, and ticket injection behaviors.
Network Traffic Analysis:
- Network detection tools (e.g., Zeek, Suricata, or Snort) can identify anomalous Kerberos traffic patterns indicative of PtT attacks.
- Detection of unusual ticket usage or abnormal communication patterns between hosts and domain controllers.
Indicators of Compromise (IoCs):
- Presence of known PtT tools (Mimikatz, Rubeus, Invoke-Mimikatz) on endpoints.
- Suspicious processes injecting tickets into memory (e.g., lsass.exe manipulation).
- Abnormal Kerberos ticket requests or ticket reuse across multiple endpoints.

Why it is Important to Detect This Technique

Detecting Pass the Ticket attacks early is critical due to their potential impact on organizational security posture. Importance of early detection includes:

Preventing Lateral Movement:
- Early detection stops attackers from moving laterally, significantly limiting their ability to escalate privileges and compromise additional systems.
Minimizing Privilege Escalation:
- PtT often enables attackers to impersonate privileged accounts. Early detection prevents attackers from escalating privileges and reduces risk to critical assets and sensitive data.
Reducing Attack Persistence:
- Attackers employing PtT often maintain persistence within networks for extended periods. Early detection disrupts their foothold, limiting their ability to carry out long-term campaigns.
Protecting Sensitive Data and Resources:
- PtT attacks frequently target critical infrastructure, sensitive information, and high-value accounts. Early detection protects these resources from unauthorized access and data exfiltration.
Maintaining Organizational Trust and Compliance:
- Detecting and responding promptly to PtT attacks helps organizations comply with regulatory requirements and maintain trust with customers, partners, and stakeholders.

Examples

Real-world examples and scenarios of Pass the Ticket attacks include:

APT29 (Cozy Bear) Campaigns:
- Russian threat actor APT29 frequently employed PtT attacks in campaigns targeting government and private sector entities.
- Tools Used: Mimikatz, Rubeus.
- Impact: Persistent lateral movement, privilege escalation, and sensitive data exfiltration.
NotPetya Ransomware (2017):
- NotPetya leveraged PtT techniques to rapidly propagate across corporate networks after initial infection.
- Tools Used: Modified Mimikatz components embedded within malware payloads.
- Impact: Massive disruption, data loss, and significant financial damage to global enterprises.
FIN6 Cybercrime Group:
- FIN6, known for targeting financial and retail sectors, utilized PtT attacks to move laterally and escalate privileges within victim networks.
- Tools Used: Mimikatz, PowerShell scripts.
- Impact: Theft of payment card data, financial fraud, and significant monetary losses.
Operation Wocao (China-linked APT):
- Operation Wocao attackers utilized PtT to maintain persistence and lateral movement in telecommunications and technology sectors.
- Tools Used: Mimikatz, custom scripts for Kerberos ticket extraction and reuse.
- Impact: Long-term espionage, intellectual property theft, and persistent compromise of critical infrastructure.
Ryuk Ransomware Attacks:
- Ryuk ransomware operators used PtT techniques to escalate privileges and propagate ransomware rapidly across enterprise networks.
- Tools Used: Mimikatz, Rubeus.
- Impact: Severe operational disruptions, data encryption, and significant ransom demands.

These examples illustrate the widespread adoption of Pass the Ticket techniques by various threat actors, highlighting the importance of robust detection and mitigation strategies.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Technical details and execution methods include:

Ticket Extraction: Attackers first compromise a host and extract Kerberos tickets from memory, typically using tools like Mimikatz, Rubeus, or Invoke-Mimikatz.

Tickets extracted can be either:
- Ticket Granting Ticket (TGT): Allows attackers to request additional service tickets.
- Service Tickets: Allow attackers to directly access specific services or resources.

Ticket Reuse: Once extracted, attackers reuse these valid tickets on other systems without needing the user's password or hash.

Typically involves importing tickets into attacker-controlled sessions using specialized tools.
Attackers can impersonate users across multiple systems, enabling lateral movement, privilege escalation, and persistence.

Ticket Injection Techniques: Attackers commonly inject tickets into memory by:

Using Mimikatz commands such as kerberos::ptt.
Leveraging tools like Rubeus (Rubeus.exe ptt) to import tickets into current sessions.
Employing PowerShell scripts to automate ticket injection and lateral movement.

Ticket Lifetime and Renewal: Kerberos tickets have a limited lifetime and renewal period. Attackers must manage timing carefully to maintain persistence or repeatedly extract fresh tickets.

Golden and Silver Tickets: PtT can be combined with advanced techniques such as Golden Tickets (forged TGTs) or Silver Tickets (forged service tickets), significantly increasing the scope and duration of compromise.

When this Technique is Usually Used

Pass the Ticket attacks are frequently utilized in various attack scenarios, including:

Initial Credential Access and Lateral Movement:

Attackers who have gained initial access to a single compromised host use PtT to move laterally to other systems within the domain.
Allows attackers to leverage legitimate authentication mechanisms rather than brute-force or noisy password guessing.

Privilege Escalation:

Attackers use PtT to impersonate privileged accounts (such as domain admins) after extracting their tickets, enabling escalation of privileges.

Persistence and Stealth:

Attackers reuse valid tickets to maintain long-term persistence without needing to repeatedly compromise credentials.
PtT helps attackers blend into normal Kerberos traffic, making detection challenging.

Advanced Persistent Threat (APT) Campaigns:

Sophisticated adversaries, including state-sponsored actors, frequently employ PtT attacks due to their stealth, reliability, and effectiveness in complex Active Directory environments.

Post-Exploitation Phases:

Commonly employed after initial compromise and reconnaissance phases, enabling attackers to pivot and escalate privileges within a targeted network.

How this Technique is Usually Detected

Detecting Pass the Ticket attacks requires a combination of log analysis, behavioral monitoring, and specialized tools. Effective detection methods include:

Event Log Monitoring:

Monitor Windows Event Logs, particularly Security Event Logs, for suspicious Kerberos-related events, such as:
- Event ID 4769 (Kerberos Service Ticket Operations).
- Event ID 4768 (Kerberos Authentication Ticket Operations).
- Event ID 4770 (Kerberos Service Ticket Renewal Requests).

Behavioral Analysis and Anomaly Detection:

Identify unusual patterns in Kerberos ticket usage, such as:
- Unexpected ticket requests from unusual source IP addresses.
- Ticket reuse across multiple systems or abnormal usage patterns.
- Tickets associated with high-value accounts being used from uncommon hosts or at unusual times.

Endpoint Detection and Response (EDR) Solutions:

Tools like CrowdStrike Falcon, Microsoft Defender for Endpoint, or Carbon Black detect suspicious memory injection activities and known PtT tools (e.g., Mimikatz, Rubeus).
EDR agents identify suspicious memory operations, credential dumping, and ticket injection behaviors.

Network Traffic Analysis:

Network detection tools (e.g., Zeek, Suricata, or Snort) can identify anomalous Kerberos traffic patterns indicative of PtT attacks.
Detection of unusual ticket usage or abnormal communication patterns between hosts and domain controllers.

Indicators of Compromise (IoCs):

Presence of known PtT tools (Mimikatz, Rubeus, Invoke-Mimikatz) on endpoints.
Suspicious processes injecting tickets into memory (e.g., lsass.exe manipulation).
Abnormal Kerberos ticket requests or ticket reuse across multiple endpoints.

Why it is Important to Detect This Technique

Detecting Pass the Ticket attacks early is critical due to their potential impact on organizational security posture. Importance of early detection includes:

Preventing Lateral Movement:

Early detection stops attackers from moving laterally, significantly limiting their ability to escalate privileges and compromise additional systems.

Minimizing Privilege Escalation:

PtT often enables attackers to impersonate privileged accounts. Early detection prevents attackers from escalating privileges and reduces risk to critical assets and sensitive data.

Reducing Attack Persistence:

Attackers employing PtT often maintain persistence within networks for extended periods. Early detection disrupts their foothold, limiting their ability to carry out long-term campaigns.

Protecting Sensitive Data and Resources:

PtT attacks frequently target critical infrastructure, sensitive information, and high-value accounts. Early detection protects these resources from unauthorized access and data exfiltration.

Maintaining Organizational Trust and Compliance:

Detecting and responding promptly to PtT attacks helps organizations comply with regulatory requirements and maintain trust with customers, partners, and stakeholders.

Examples

Real-world examples and scenarios of Pass the Ticket attacks include:

APT29 (Cozy Bear) Campaigns:

Russian threat actor APT29 frequently employed PtT attacks in campaigns targeting government and private sector entities.
Tools Used: Mimikatz, Rubeus.
Impact: Persistent lateral movement, privilege escalation, and sensitive data exfiltration.

NotPetya Ransomware (2017):

NotPetya leveraged PtT techniques to rapidly propagate across corporate networks after initial infection.
Tools Used: Modified Mimikatz components embedded within malware payloads.
Impact: Massive disruption, data loss, and significant financial damage to global enterprises.

FIN6 Cybercrime Group:

FIN6, known for targeting financial and retail sectors, utilized PtT attacks to move laterally and escalate privileges within victim networks.
Tools Used: Mimikatz, PowerShell scripts.
Impact: Theft of payment card data, financial fraud, and significant monetary losses.

Operation Wocao (China-linked APT):

Operation Wocao attackers utilized PtT to maintain persistence and lateral movement in telecommunications and technology sectors.
Tools Used: Mimikatz, custom scripts for Kerberos ticket extraction and reuse.
Impact: Long-term espionage, intellectual property theft, and persistent compromise of critical infrastructure.

Ryuk Ransomware Attacks:

Ryuk ransomware operators used PtT techniques to escalate privileges and propagate ransomware rapidly across enterprise networks.
Tools Used: Mimikatz, Rubeus.
Impact: Severe operational disruptions, data encryption, and significant ransom demands.

These examples illustrate the widespread adoption of Pass the Ticket techniques by various threat actors, highlighting the importance of robust detection and mitigation strategies.