What can we help you with?

Supercharged PAM

Combine the best of Session Management and Credential Management solutions at a new, incredible value!

Learn More Learn More
Contact Chat with Sales Get Support

What is BeyondTrust?

Get a closer look inside the BeyondTrust identity & access security arsenal.

Learn More Learn More
Contact Chat with Sales Get Support

Gartner Peer Insights

Find out how customers & analysts alike review BeyondTrust.

Learn More Learn More
Contact Chat with Sales Get Support

Go Beyond Customer & Partner Conference

Our biggest customer conference of the year is happening in Miami and virtually on May 1-5, 2023.

Learn More Learn More
Contact Chat with Sales Get Support

Watch Our Video

Find out more about our integrations.

Learn More Learn More
Contact Chat with Sales Get Support

Leader in Intelligent Identity & Secure Access

Learn how BeyondTrust solutions protect companies from cyber threats.

Learn More Learn More
Contact Chat with Sales Get Support
Contact Chat with Sales Get Support

What are Pass-the-Ticket Attacks? An Introduction.

Since the 1990s, Windows administrators have been plagued with Pass-the-Hash (PTH) attacks. These attacks exploit password hashes and allow hackers to hijack local administrator accounts.

Newer Windows operating systems mitigated the PTH threat to a great degree. However, hackers evolved with the technology into new attack vectors.

In recent years, a different type of cyberattack gained notoriety for its ability to target Kerberos, the default authentication protocol in Windows 2000 and later domains. Lesser known than its cousin Pass-the-Hash, this newer attack - dubbed Pass-the-Ticket - is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop Pass-the-Ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.

Launching Pass-the-Ticket Attacks

You can typically launch Pass-the-Ticket attacks in one of two ways:

  • By stealing a Ticket Granting Ticket or Service Ticket from a Windows machine and use the stolen ticket to impersonate a user, or
  • By stealing a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the user's behalf.

Once the attacker extracts one of these tickets, he can leverage it to gain lateral movement within the network. He can seek out additional permissions and steal sensitive data. But it gets even more ominous.

What’s the Goal of Pass-the-Ticket Attacks?

The eventual goal of Pass-the-Ticket could be to steal the hash of the KRBTGT account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets.

Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called Golden Ticket, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution center.”

Pass-the-Ticket Security Mitigations

In general, you can’t block Pass-the-Ticket exploits with standard cybersecurity defenses. That’s because local and domain password changes don’t invalidate compromised tickets. And while multifactor authentication (MFA) is typically a sound verification practice, Pass-the-Ticket exploits bypass MFA altogether.

Instead, protecting against Pass-the-Ticket requires a different, three step approach:

  • Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains. That allows hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. This involves enforcing frequent, automated credentials updates to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex, unique and frequently changing credentials. And then audit access to the credentials.
  • Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can exploit to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
  • Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. You can accomplish this through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets. The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. We call this process a Security DoubleTap. It clears the system memory of hashes and passwords on compromised machines to curtail further access.


Want to learn more about defeating pass-the-ticket attacks?

Photograph of Chris Stoneff

Chris Stoneff, VP Security Solutions, Development

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

You May Also Be Interested In: