Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Defending Against Pass-the-Ticket Attacks

April 26, 2018

  • Blog
  • Archive

Since the 1990s, Windows administrators have been plagued with Pass-the-Hash (PTH) attacks. These attacks exploit password hashes and allow hackers to hijack local administrator accounts.

Newer Windows operating systems mitigated the PTH threat to a great degree. However, hackers evolved with the technology into new attack vectors.

In recent years, a different type of cyberattack gained notoriety for its ability to target Kerberos, the default authentication protocol in Windows 2000 and later domains. Lesser known than its cousin Pass-the-Hash, this newer attack - dubbed Pass-the-Ticket - is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop Pass-the-Ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.

Launching Pass-the-Ticket Attacks

You can typically launch Pass-the-Ticket attacks in one of two ways:

  • By stealing a Ticket Granting Ticket or Service Ticket from a Windows machine and uses the stolen ticket to impersonate a user, or
  • By stealing a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the users’ behalf.

Once the attacker extracts one of these tickets, he can leverage it to gain lateral movement within the network. He can seek out additional permissions and steal sensitive data. But it gets even more ominous.

What’s the End Game of Pass-the-Ticket Attacks?

The eventual goal of Pass-the-Ticket could be to steal the hash of the KRBTGT account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets.

Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called Golden Ticket, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution center.”

Pass-the-Ticket Countermeasures

In general, you can’t block Pass-the-Ticket exploits with standard cybersecurity defenses. That’s because local and domain password changes don’t invalidate compromised tickets. And while multifactor authentication (MFA) is typically a sound verification practice, Pass-the-Ticket exploits bypass MFA altogether.

Instead, protecting against Pass-the-Ticket requires a different, three step approach:

  • Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains. That allows hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. This involves enforcing frequent, automated credentials updates to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex, unique and frequently changing credentials. And then audit access to the credentials.
  • Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can exploit to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
  • Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. You can accomplish this through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets. The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. We call this process a Security DoubleTap and it’s a feature of our Privileged Identity Management product. It clears the system memory of hashes and passwords on compromised machines to curtail further access.


Want to learn more about defeating pass-the-ticket attacks?

Request a demo of our Privileged Identity Management solution

Chris Stoneff

VP Security Solutions, Development

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.