Is my host protected against Pass-The-ticket?

This chain will deploy Mimikatz and export Kerberos tickets. It will then deploy Rubeus and perform a Pass-The-Ticket attack on your domain network.

Is my host protected against Pass-The-ticket?

Pass the Ticket is a credential theft technique that allows attackers to utilize stolen Kerberos tickets to authenticate as a user to resources (such as file sharing and other computers) without compromising the user's password. Adversaries frequently employ this strategy to migrate laterally through an organization's network in search of opportunities to increase their privileges.

To export Kerberos tickets, attackers frequently utilize Mimikatz, an open-source tool that allows users to see and store authentication credentials such as Kerberos tickets. They may then use a program called Rubeus to import these tickets into their local session.

Rubeus is available for download on Github.

Mimikatz is available for download on Github.

Testing

Execute Is my host protected against Pass-The-ticket? in Operator on each host in your environment to test if you are vulnerable.

This chain will deploy Mimikatz and export Kerberos tickets. It will then deploy Rubeus and perform a Pass-The-Ticket attack on your domain network.

Remediation

Remediation against Pass-the-Ticket attacks is always a challenge to fully remediate but it includes enabling Windows Defender Credential Guard to protect credential storage and reducing the amount of systems administrators have access to which will prevent widespread lateral movement associated with this technique.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.preludesecurity.com/products/operator
Try out Prelude Build: https://platform.preludesecurity.com/build
Try out Prelude Detect: https://www.preludesecurity.com/products/detect
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://www.preludesecurity.com/blog
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Export Kerberos tickets with Mimikatz
Pass-The-Ticket with Rubeus