Pass the Ticket Attack Explained - MITRE ATT&CK T1550.003

Attacks on systems can frequently circumvent standard access controls by leveraging alternative authentication assets, such as password hashes, Kerberos tickets, and application access tokens. Recognized as T1550 in the MITRE ATT&CK framework, this method enables attackers to navigate laterally within a network and obtain unauthorized entry to target systems.

This article offers an in-depth exploration of the Pass-the-Ticket (T1550.003) attack, a specific sub-technique within the broader context of the Use Alternate Authentication Material strategy. 

The Complete Active Directory Security Handbook Exploitation , Detection, and Mitigation Strategies

Pass the Ticket (T1550.003)

Pass the Ticket (PtT) is an attack technique that enables an attacker to leverage a stolen Kerberos Ticket Granting Ticket (TGT) to gain unauthorized access to target systems. The TGT is a crucial component of the Kerberos protocol, as it allows users to authenticate to multiple systems without repeatedly entering their passwords. The Domain Controller (DC) issues a TGT to a user when they authenticate to the domain. This ticket contains the user's session key, group membership, and user privileges. The TGT is encrypted with the user's password hash using a symmetric encryption algorithm, such as DES or AES, depending on the Kerberos environment configuration. The encrypted TGT is stored in the user's computer memory.

To access a resource on another system, the user requests a service ticket from the DC using their TGT. The service ticket, encrypted with the user's session key, contains an encrypted session key for authenticating to the target system. This ticket is sent to the user's computer, where it is used to gain access to the desired resource. An attacker with a stolen TGT can exploit the PtT technique to request service tickets from the DC, enabling them to access specific services on target systems without legitimate authorization.

Tools and Techniques to Perform Pass the Ticket (PtT) Attacks

Pass-the-Ticket (PtT) attacks can be executed by utilizing various publicly available tools, such as Mimikatz, Kekeo [1], Rubeus [2], Creddump7 [3], etc. Attackers often employ these tools to extract Kerberos TGTs from the memory of a compromised system and then use it to gain access to other systems on the network. 

In this blog, we will be talking about how adversaries leverage Mimikatz to perform a pass-the-ticket attack.

Mimikatz

Usage of Mimikatz for the PtT attack consists of four main steps.

Step 1: Capturing Kerberos Tickets for Valid Accounts

An attacker can use the sekurlsa::tickets Mimikatz command with the /export parameter to extract all the Kerberos tickets from memory and save them as .kirbi files and save them in the same folder where the Mimikatz executable file is located. 

By examining the names of the .kirbi files, it is possible to determine if there are any Kerberos tickets for a domain administrator, such as DOMAIN\Alice:

The second command, dir | findet "Alice" | findstr "krbtgt", lists all the files in the current directory and pipes the output to the findstr command to search for the text "krbtgt". The purpose of this command is to find the Kerberos ticket file(s) related to the user "Alice", which may include the "krbtgt" string in the file name.

(!) Note that Mimikatz is not the only tool to obtain Kerberos tickets. Adversaries can employ the Rubeus [2] tool to generate raw AS-REQ traffic in order to ask for a TGT with a provided username and password. The advantage of this attack is that the password supplied to Rubeus can be encrypted in RC4, DES and AES algorithms, and the attack still would work [4]. 

Step 2: Reusing the Ticket

This is the main step of a Pass-the-Ticket attack.

In this step, the attacker employs the Mimikatz command kerberos::ptt to insert the obtained TGT into their own session, resulting in their session taking on the identity and permissions of the stolen TGT for future access to resources without knowing the plaintext credentials. This allows the adversary to access resources that would otherwise be protected by Kerberos authentication [5].

Note that the above command is used to insert the Kerberos Ticket Granting Ticket (TGT) stored in the corresponding .kirbi file into the current session. 

To make sure that the right ticket was injected, an adversary can use the “kerberos::list” Mimikatz command.

It is important to mention that the TGT has a finite lifetime, and it will expire after a certain period of time. The user will need to re-authenticate to the domain to obtain a new TGT.

Step 3: Discovering Privileges of the Stolen Ticket

Once a obtained ticket is ready for reuse, the attacker needs to identify its capabilities, i.e, where it can be utilized. A TGS can only provide access to the specific resource it was issued for, and the attacker can find out that information by examining the TGS.

To use a TGT, the attacker may have to perform an internal discovery phase to figure out the access it grants. This can be as simple as checking the user's group memberships and looking for clear signs. 

There are many tools that can be used to gather information about Active Directory, but the attacker can also use built-in commands like net to gather this information so as not to draw attention of the security controls.

Step 4: Accessing Resources Through New User Account

Lastly, the attacker can employ built-in OS utilities to move laterally in a stealthy manner so that they can try and gain access to other resources and further their goals. For instance, the adversary might leverage the PsExec command-line utility to run the powershell.exe on a remote workstation.

Detection Methods for the Pass the Ticket Attack

In this section, we provide a collection of Event IDs that can aid in detecting a potential Pass-the-Ticket attack [6], [7]. Generated by the Windows OS, these Event IDs contain crucial data regarding system actions. By keeping an eye on these Event IDs and examining the Key Description Fields, security personnel can pinpoint potential security breaches and implement suitable steps to reduce the associated risks.

Event ID 4768 - Process Create.

• Key Description Fields: Account Name, Service Name (always "krbtgt"), Service ID, Client Address

Event ID 4769 - A Kerberos Service Ticket was requested.

• Key Description Fields:  Account Name, Service Name, Client Address

Event ID  4770 - A Kerberos Service Ticket was renewed.

• Key Description Fields: Account Name, User ID, Service Name, Service ID

Mitigation Techniques for the Pass the Ticket Attack

Effective measures to counter pass-the-hash attacks concentrate on making tickets more difficult to steal and limiting the potential impact of a stolen ticket. One such measure is to utilize Microsoft's Windows Defender Credential Guard. This technology, which was introduced in Windows 10 and Windows Server 2016, leverages virtualization to secure credential storage and provide access only to trusted processes.

Another important step is to limit the number of endpoints where users have administrative privileges. This significantly reduces the risk of an attacker using a stolen ticket for lateral movement. It is also important to avoid granting administrative privileges across security boundaries, as this greatly reduces the risk of an attacker using a stolen ticket to escalate their privileges.

References 

[1] “GitHub - gentilkiwi/kekeo: A little toolbox to play with Microsoft Kerberos in C,” GitHub. [Online]. Available: https://github.com/gentilkiwi/kekeo. [Accessed: Feb. 07, 2023]

[2] “GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog,” GitHub. [Online]. Available: https://github.com/GhostPack/Rubeus. [Accessed: Feb. 07, 2023]

[3] “creddump7,” Kali Linux. [Online]. Available: https://www.kali.org/tools/creddump7/. [Accessed: Feb. 07, 2023]

[4] R. Chandel, “A Detailed Guide on Rubeus,” Hacking Articles, May 11, 2022. [Online]. Available: https://www.hackingarticles.in/a-detailed-guide-on-rubeus/. [Accessed: Feb. 07, 2023]

[5] JasonGerend, “Kerberos Authentication Overview.” [Online]. Available: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview. [Accessed: Feb. 07, 2023]

[6] “mimikatz > sekurlsa::logonpasswords.” [Online]. Available: https://jpcertcc.github.io/ToolAnalysisResultSheet/details/Mimikatz_sekurlsa-logonpasswords.htm. [Accessed: Feb. 09, 2023]

[7] “Detecting Lateral Movement through Tracking Event Logs.” [Online]. Available: https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf. [Accessed: Feb. 09, 2023]