Defending Against Pass-the-Ticket Attacks

Since the 1990s, Windows administrators have been plagued with Pass-the-Hash (PTH) attacks. These attacks exploit password hashes and allow hackers to hijack local administrator accounts.

Newer Windows operating systems mitigated the PTH threat to a great degree. However, hackers evolved with the technology into new attack vectors.

In recent years, a different type of cyberattack gained notoriety for its ability to target Kerberos, the default authentication protocol in Windows 2000 and later domains. Lesser known than its cousin Pass-the-Hash, this newer attack - dubbed Pass-the-Ticket - is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop Pass-the-Ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.

Launching Pass-the-Ticket Attacks

You can typically launch Pass-the-Ticket attacks in one of two ways:

• By stealing a Ticket Granting Ticket or Service Ticket from a Windows machine and uses the stolen ticket to impersonate a user, or
• By stealing a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the users’ behalf.

Once the attacker extracts one of these tickets, he can leverage it to gain lateral movement within the network. He can seek out additional permissions and steal sensitive data. But it gets even more ominous.

What’s the End Game of Pass-the-Ticket Attacks?

The eventual goal of Pass-the-Ticket could be to steal the hash of the KRBTGT account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets.

Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called Golden Ticket, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution center.”

Pass-the-Ticket Countermeasures

In general, you can’t block Pass-the-Ticket exploits with standard cybersecurity defenses. That’s because local and domain password changes don’t invalidate compromised tickets. And while multifactor authentication (MFA) is typically a sound verification practice, Pass-the-Ticket exploits bypass MFA altogether.

Instead, protecting against Pass-the-Ticket requires a different, three step approach:

• Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains. That allows hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. This involves enforcing frequent, automated credentials updates to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex, unique and frequently changing credentials. And then audit access to the credentials.

• Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can exploit to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
• Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. You can accomplish this through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets. The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. We call this process a Security DoubleTap and it’s a feature of our Privileged Identity Management product. It clears the system memory of hashes and passwords on compromised machines to curtail further access.