Pass-The-Ticket Attacks are a type of cyberattack where an attacker steals a Kerberos ticket-granting ticket (TGT) from one user and uses it to impersonate that user on a network, bypassing authentication mechanisms and gaining unauthorized access to resources.
Since the 1990s, Windows administrators have been plagued with Pass-the-Hash (PTH) Attacks. These attacks exploit password hashes and allow hackers to hijack local administrator accounts.
Use of password management tools, enforcement of least privilege access, and newer Windows operating systems help mitigate the PTH threat to a great degree. However, hackers evolved with the technology into new attack vectors.
A different type of cyberattack gained notoriety for its ability to target Kerberos, the default authentication protocol in Windows 2000 and later domains. Lesser known than its cousin Pass-the-Hash, this newer attack - dubbed Pass-the-Ticket - is just as dangerous. Using toolkits such as Mimikatz and Windows Credentials Editor (WCE), hackers can develop Pass-the-Ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.
Threat actors can typically launch Pass-the-Ticket attacks in one of two ways:
By stealing a Ticket Granting Ticket or Service Ticket from a Windows machine and use the stolen ticket to impersonate a user, or
By stealing a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the user's behalf.
Once the attacker extracts one of these tickets, they can leverage it to gain lateral movement within the network and can then seek out additional permissions and steal sensitive data. But it gets even more ominous.
One goal of Pass-the-Ticket could be to steal the hash of the KRBTGT account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets.
Once in possession of this password hash, a hacker could create unlimited tickets, granting any level of access, with virtually unlimited lifetimes. This is the so-called Golden Ticket, which according to security researcher Roger Grimes “isn’t merely a forged Kerberos ticket — it’s a forged Kerberos key distribution center.”
In general, you can’t block Pass-the-Ticket attacks with standard cybersecurity defenses. That’s because local and domain password changes don’t invalidate compromised tickets. And while multi-factor authentication (MFA) is typically a sound verification practice, Pass-the-Ticket exploits and bypasses MFA altogether.
Protecting against Pass-the-Ticket requires the following three-step approach:
As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains. That allows hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. This involves enforcing frequent, automated credentials updates to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex, unique, and frequently changing credentials. And, then audit access to the credentials.
Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can exploit to gain control of your network. Consider an endpoint privilege management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.
Establish, in advance, a process to remove attackers’ access to compromised systems. You can accomplish this through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets. The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. This process is referred to as a Security DoubleTap. It clears the system memory of hashes and passwords on compromised machines to curtail further access.