Pass the Ticket is a credential theft technique that allows attackers to utilize stolen Kerberos tickets to authenticate as a user to resources (such as file sharing and other computers) without compromising the user's password. Adversaries frequently employ this strategy to migrate laterally through an organization's network in search of opportunities to increase their privileges.
To export Kerberos tickets, attackers frequently utilize Mimikatz, an open-source tool that allows users to see and store authentication credentials such as Kerberos tickets. They may then use a program called Rubeus to import these tickets into their local session.
Rubeus is available for download on Github.
Mimikatz is available for download on Github.
Is my host protected against Pass-The-ticket? in Operator on each host in your environment to test if you are vulnerable.
This chain will deploy Mimikatz and export Kerberos tickets. It will then deploy Rubeus and perform a Pass-The-Ticket attack on your domain network.
Remediation against Pass-the-Ticket attacks is always a challenge to fully remediate but it includes enabling Windows Defender Credential Guard to protect credential storage and reducing the amount of systems administrators have access to which will prevent widespread lateral movement associated with this technique.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.preludesecurity.com/products/operator
Try out Prelude Build: https://platform.preludesecurity.com/build
Try out Prelude Detect: https://www.preludesecurity.com/products/detect
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://www.preludesecurity.com/blog
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg