# T1550.003 Pass the Ticket

-----------------------------------------------------------------------

## Technique Description

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)

A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)

A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)

Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)

## Technique Detection

Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Lateral-Movement

### Platforms:

  * Windows

### System Requirements:

  * Kerberos authentication enabled

### Defenses Bypassed:

  * System Access Controls

### Data Sources:

  * **Logon Session:** Logon Session Creation

  * **Active Directory:** Active Directory Credential Request

  * **User Account:** User Account Authentication

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1550/003)

  * [Capec](https://capec.mitre.org/data/definitions/645.html)

  * [Adsecurity Ad Kerberos Attacks](https://adsecurity.org/?p=556), Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.

  * [Gentilkiwi Pass The Ticket](http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos), Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.

  * [Campbell 2014](http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf), Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014.

  * [Stealthbits Overpass-The-Hash](https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/), Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.

  * [Cert-Eu Golden Ticket Protection](https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf), Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 7 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversary may have acquired a stolen ticket and used it for services and may have even renewed but never did the initial request. Looking for the account that signed the tickets is key for finding the depth of the compromise. In order to find this TTP, it is recommended that you have narrowed the time of the infection or specific IP's of interest due to the amount of Kerberos traffic on a Windows domain. Attackers will harvest TGTs and then use them on a different system. TGS requests or TGT renewals with a particular Account / Client pair that have no associated TGT request from that Account / Client pair. You would have to look at a TGS request or TGT renewal and then scan back the previous "X" hours to see if there was a TGT request that matches that user and computer.  

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1, 2 |

## Detection Blindspots

- Kerberos is native to most windows environments in order to provide authentication to services so there is the potential for the need to sift through a large amount of legitimate traffic. If an adversary gains priveliged access to krb.tbgt account they would be able to sign legitimate tickets as well as set the time to live to not expire. 
- Network operators may need to verify successful Kerberos authentication with host logs
- Sensor placement

## Analytical References

  * [Mimikatz and Active Directory Kerberos Attacks](https://adsecurity.org/?p=556)
  * [Mimikatz Pass The Ticket](http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos)
  * [The Secret Life of Krbtgt](http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf)
  * [Mimikatz Guide](https://adsecurity.org/?page_id=1821)
  * [Kerberos Golden Tickets are Now More Golden](https://adsecurity.org/?p=1640)
  * [Mimikatz and DCSync](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my)
  * [PowerShellEmpire](https://github.com/PowerShellEmpire/Empire)
  * [Seadukes Latest Weapon](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory)
  * [royalcli and royaldns](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/)
  * [No Easy Breach](http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016)
  * [Bronze Butler Targets Japanese Businesses](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses)
  * [Operation Cobalt Kitty](https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf)
  * [Kerberos Golden Ticket Protection](https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf)
  * [How to Detect Pass The Ticket](https://stealthbits.com/blog/how-to-detect-pass-the-ticket-attacks/)
  * [Kerberos Wireshark Captures on Windows](https://medium.com/@robert.broeckelmann/kerberos-wireshark-captures-a-windows-login-example-151fabf3375a)
  * [Kerberoasting](https://triskelelabs.com/kerberoasting/)
  * [Kerberos Network Authentication Service (V5) Synopsis](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13)
  * [Kerberos Wireshark Examples](https://medium.com/@robert.broeckelmann/kerberos-wireshark-captures-a-windows-login-example-151fabf3375a)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
- Pass the Ticket is hard to find without more specialized tools. This will show you a lot of logs and requests and it requires you to figure out what does and does not match between the refresh and requests.
- A Capability to track hashes of Kerberos Tickets though Moloch would allow for better tracking of ticket request moving across the network, specifically Kerberos ticket-granting service (TGS) response message (KRB_TGS_REP). Currently this is not available.

#### Analytic 1 (APT 29)
 
  * **Information:** Detecting pass the ticket is required on the DC.

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** The main way to identify the PtT is seeing a ticket request that have TGT Renewals (Event ID 4770) but no matching TGT Requests (Event ID 4768/4769) within a time period defined by the domain (e.g. 10 hours)

  * **Query:** ```Event_ID:(4768 OR 4769 OR 4770) AND <Domain Controller IP>```

#### Analytic 2 (APT 29)

  * **Information:** Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** An empty Account Domain field is cause for more investigation.

  * **Query:** ```Event_ID:4624 OR Event_ID:4672 OR Event_ID:4634```
  * **Query:** ```Event_ID:(4624, 4672, 4634) AND NOT exists:"Account Domain"```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Due to the amount of Kerberos traffic that may exist, detection is time intensive
- Look for processes loading files that have just been created on disk (i.e 1min time window). Stack the values of the processes and files involved. You can tag the files as signed or unsigned depending on the information provided in the security events.
- Pass-the-ticket the attacker will never request a TGT, they will always steal it from LSASS. They may renew it, and they definitely may use it to request TGS service tickets.

#### Analytic 1 (APT 29)

  * **Information:** Identify Kerberos traffic in which specific peices of data are missing or mismatched.  

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** Filter for the Kerberos protocol and identify the sname — the service name being requested, cname — contains the user name being authenticated, realm — contains the Kerberos realm (a.k.a. Windows domain name). Associate host IP as needed. Identify the pre authentication request this should occur after the TCP handshake in the kerberos protocol.

  * **Query Arkime:** 
    - `protocols == krb5 && krb5.cname == [user of interest] && krb5.realm ==[domain if known] && krb5.sname == [service if known] && smb.share == [path]`

  * **Query Kibana:** 
    - `protocol: krb5 AND krb5.cname: [user of interest] AND krb5.realm:[domain if known] AND krb5.sname:[service if know]`
    

#### Analytic 2 (APT 29)

  * **Information:** Identify access to abnormal resources by filtering for snames where no cnames exist (should return TGS-REQ/TGS-REP sessions), export unique snames and look for statistical outliers (abnormally high || low counts). Hunt for abnormal authentication to resources by checking the cname in the TGS-REP and verify an AS-REP/AS-REQ exists for that user and that the IP address is expected for them 

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Query Arkime:** 
    - `protocols == krb5 && krb5.cname == EXISTS! && krb5.sname != EXISTS!`
    - `krb5.sname == [sname of interest]`
    - export unqiue sname with counts and identify outliers
    
#### Analytic 3

  * **Information:** Identify key information from kerberos.log files utilizing Zeek.

  * **Source:** PCAP

  * **Tool:** Zeek

  * **Notes:** Zeek can provide an in-depth understanding of network traffic and key pieces of network connections that can aid in identifying adversary activity.

  * **Zeek:** 
      * Analyze kerberos.log file
          * request_type - Authenication Service (AS) or Ticket Granting Service (TGS)
          * client - the client attempting authentication
          * success - request result (boolean)
          * cipher - ticket encryption type

Tools:

Arkime (Formerly Moloch)

Utilizing Arkime's views are an easy way to filter the data based on your chosen expression. NOTE*** If you begin to look for other data related to your investigation in may require you to stop using the view in order to view all of the data again.
 
![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket1.png)

This dropdown is located at the top right of the Arkime Sessions page.

You have the option to create a “New View” or select from a previously created view.

![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket2.png)

If you select a new view 2 dialog boxes will appear below the time and date parameters

In the first dialog box, you will be naming the view in order to find it in the aforementioned dropdown.


Some of the options are:

**krb5.realm**

Typically corresponds to the DNS domain used to group users to a particular Kerberos database.

**krb5.cname**

This field contains the name part of the client's principal identifier

**krkrb5.sname**

This field specifies the name part of the server's identity


If you would likekrb5.cname all of the traffic that has been parsed as Kerberos you can use:

**Protocols == krb5**




What am I looking for:

  - The realm and Sname will help you identify the area of the network the IP is trying to authenticate to and what is being accessed.

  - These are typically less helpful as all IP’s in that realm will use the same DC and it would be highly unlikely that an apt would alter from the infrastructure that is already in place.



The src and dst IP as well as what ports they are using. 

  - Is it an uncommon port (unlikely)

  - Are those IP’s supposed to be communicating in this manner?



The hex data that is present IF you have PCAP for the traffic the Realm is displayed as well as the account that signed the ticket, in this case, it is “krbtgt” which is the default Kerberos account that signs all tickets.

  - In the hex portion of moloch, you can see what Kerberos account actually signed the ticket, in this case, it is krb.tgt

  - krb.tgt- This is a default account that exists on most if not all Kerberos servers as it is the default account that is created in default builds and is normally kept in to avoid issues down the line.

  - If there is a custom account it will need to be addressed with the MP in order to verify it as a benign account, custom accounts are used by APT’s in order to maintain persistence however the tickets they sign can be used for lateral movement.


![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket3.png)

**ELKibana**

The Best way to capture pass the ticket would be to ingest windows event logs into logstash (You will have to alter winlogbeats config files to comment out the elastisearch output and uncomment the logstash output)

Below are some examples of how you can use Kibana to assist you with your hunt.

- Kerberos realm of what server is handling the request.
- Timestamp
- Hostname/user


![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket4.png)

- Protocol: Could be attempted use of expired ticket
- Packets: Attempt to see if successful connections use an alternate port
- Count: The number of times this connection happened

![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket5.png)

Screenshot of a saved search that can be added to dashboards.

![T1550.003 Pass the Ticket](../../Images/T1550.003_Pass_the_Ticket6.png)

**Suricata:**

Rule Examples:

- alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;)


- alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak encryption parameters"; flow:to_client; app-layer-event:krb5.weak_encryption; classtype:protocol-command-decode; sid:2226001; rev:1;)