Any organization that relies on Kerberos authentication—the primary authentication method in Active Directory environments—is potentially vulnerable to a Pass the Ticket attack. Organizations that do not regularly patch their systems, monitor and secure Active Directory, and follow robust security measures for credential and ticket protection are at a higher risk. Let’s discuss how to detect and defend against a Pass the Ticket attack.
What is a Pass the Ticket attack?
A Pass the Ticket attack is a sophisticated tactic. Threat actors use this attack to gain unauthorized access to network resources in environments that use Kerberos, the default authentication protocol in Active Directory.
Unlike password-based attacks, a Pass the Ticket attack exploits the ticket-granting ticket (TGT) and service tickets within the Kerberos authentication process. By capturing and reusing these tickets, attackers can impersonate legitimate users—without needing their actual credentials.
Attackers often use the Pass the Ticket attack in tandem with other techniques as part of multistage attacks. After using a Pass the Ticket attack to gain access to your network, threat actors might deploy ransomware, create backdoors, or establish command-and-control servers for long-term exploitation and persistence. The versatility and stealthy nature of this attack make it a favored technique among advanced persistent threat (APT) operators and other sophisticated attackers.
Related reading: Protect Active Directory against Kerberoasting
How does a Pass the Ticket attack work?
In a Pass the Ticket attack, the attacker initially compromises a user’s system or device. Using tools like Mimikatz, Kekeo, Rubeus, or Creddump7, the attacker then extracts Kerberos TGT or service tickets from LSASS memory.
With these tickets in hand, the attacker can then:
Present a stolen ticket to access resources for which the ticket is valid.
Move laterally within the network, accessing systems and services as the compromised user.
Attempt to escalate privileges by capturing the ticket of a user with higher privileges.
Detection of a Pass the Ticket attack is challenging. Because the attacker uses legitimate tickets, these actions often appear as authentic user activities.
Note that a Pass the Ticket attack involves the exploitation of Kerberos tickets—particularly the TGT—that have a lifespan of 10 hours (600 minutes) by default and can be renewed for 7 days. Therefore, the attacker must use the ticket within that period.
What risks are associated with a Pass the Ticket attack?
The primary risk of a Pass the Ticket attack is unauthorized access. By using a valid ticket, attackers can bypass traditional authentication mechanisms, gaining access to sensitive data, applications, and services. The stealthy nature of the attack enables adversaries to maintain persistence within a network for extended periods without detection. Consider the following examples scenarios.
Initial compromise
An attacker successfully phishes a low-level employee and gains access to their workstation. Using a tool like Mimikatz or Rubeus, the attacker extracts Kerberos tickets from the system’s memory. The attacker uses these tickets to access network shares, databases, or other resources to which the employee has permissions.
Lateral movement
After compromising a machine, an attacker captures a Kerberos ticket of an IT staff member who had recently logged on to that machine. Using this ticket, the attacker moves to another machine or server to which that IT staff member has access, expanding their footprint within the organization. The attacker can use the ticket to retrieve confidential information or systems or to execute harmful actions such as deploying malware, creating new user accounts, or altering configurations.
Privilege escalation
From a compromised user’s workstation, an attacker captures a service ticket of an administrator who performed a task on the workstation. Using this ticket, the attacker escalates their privileges within the network, accessing sensitive servers, including an Active Directory domain controller.
Data exfiltration
After gaining a valid ticket, an attacker accesses a database server. The attacker then exfiltrates sensitive data, including client information or intellectual property, without ever needing to crack a password or directly compromise the server.
Stealthy persistence
Instead of using malware or other tools that might trigger antivirus software, an attacker maintains access to the network using stolen tickets, refreshing them as needed and accessing resources without raising any alarms.
Compromising cloud resources
An organization uses single sign-on (SSO) and integrates its on-premises Active Directory with cloud services. An attacker gains a ticket and is then able to access cloud resources, including storage and databases, leading to data breaches.
How can you detect a Pass the Ticket attack?
Detection of a Pass the Ticket attack can be difficult. The legitimate appearance of ticket-based activities complicates the task.
The following detection strategies can help you detect this type of attack:
Anomaly detection. Monitor for unusual access patterns or activities during odd hours. Such patterns might indicate malicious intent.
Monitor authentication events. Audit all Kerberos authentication events and review them for discrepancies. Perform this auditing on both endpoints and domain controllers.
Ticket lifespan. Track the age of tickets and set alerts for tickets that are used beyond their set lifespan.
Monitoring tools. Use advanced threat detection solutions that can recognize Pass the Ticket attack patterns. Also watch for use of tools like Mimikatz, Kekeo, Rubeus, and Creddump7.
Large-scale environments often use a security information and event management (SIEM) system or other filtering and alerting mechanism to scan event logs and alert admins based on logon events. However, certain attacks are adept at covering all trace of their behavior in Active Directory. Such attacks can sneak past SIEM detection.
How can you defend against a Pass the Ticket attack?
Mitigation focuses on both prevention and limitation:
Limit ticket lifetime. Reduce the lifetime of TGTs and service tickets. The default lifetime for tickets is 600 minutes (10 hours).
Regularly patch systems. Verify that all systems, especially domain controllers, are patched regularly.
Protect privileged accounts. Limit the number of privileged accounts and employ multifactor authentication (MFA).
Monitor and audit Active Directory. Regularly review and audit Active Directory logs. Configure alerts for suspicious activities. Better yet, deploy a solution that is designed to secure Active Directory and monitors the Active Directory replication stream rather than depending on logs.
To defend against a Pass the Ticket attack and other Kerberos-related attacks, Active Directory administrators must maintain a strong security posture:
Implement Restricted Admin mode. This step prevents administrators’ credentials from being stored in memory when they use RDP to connect to a system.
Apply security baselines. Implement Microsoft security baselines for Active Directory and Group Policy.
Keep your systems up to date. Ensure timely patching of systems and software.
Deploy Credential Guard. Introduced in Windows 10 and Windows Server 2016 and later, Credential Guard uses virtualization to secure credential storage and provide access only to trusted processes. The feature also helps isolate and protect LSASS from attack tools.
Educate users. Train users with domain or elevated credentials to avoid logging on to untrusted hosts.
Defend Kerberos-reliant networks to reduce risk
The Pass the Ticket attack exemplifies the advanced techniques that modern adversaries use to exploit seemingly robust authentication systems. By understanding the mechanics of Pass the Ticket attack, you can better defend your Kerberos-reliant networks.
The best way to bolster your defenses and significantly reduce the risk of such advanced threats is to take proactive measures to secure Active Directory. Such steps include continuous monitoring and the use of robust identity threat and detection and response (ITDR) solutions. A monitoring system like Semperis Directory Services Protector, which is designed to detect advanced attacks and automate rollback of suspicious changes in Active Directory, can provide greater peace of mind in the face of an attempted Pass the Ticket attack.
The post How to Defend Against a Pass the Ticket Attack: AD Security 101 appeared first on Semperis.