Pass-the-Ticket

Definition

Pass-the-Ticket (PtT) is a post-exploitation lateral movement technique where an attacker steals a valid Kerberos ticket from a compromised system and uses it to authenticate to other services without knowing the user's password. The stolen ticket, either a Ticket Granting Ticket (TGT) or a Ticket Granting Service (TGS) ticket, is injected into the attacker's session to impersonate the legitimate user across the network.

How It Works

The attacker gains access to a system and uses tools like Mimikatz or Rubeus to extract Kerberos tickets from memory. TGTs stored in the LSASS process are particularly valuable because they can be used to request TGS tickets for any service the user has access to. The attacker exports the ticket and imports it into their own session on a different machine, effectively assuming the identity of the compromised user. With a stolen TGT from a domain administrator, the attacker can request service tickets for any resource in the domain. Unlike Pass-the-Hash, this technique works in environments that have disabled NTLM authentication, because it operates entirely within the Kerberos protocol. The tickets remain valid until they expire, typically within 10 hours for TGTs.

Why It Matters

Pass-the-Ticket is a primary lateral movement technique in modern Active Directory attacks. It is effective even in hardened environments that have disabled NTLM authentication and enforced Kerberos-only policies. Detection requires monitoring for ticket usage anomalies such as tickets used from unexpected IP addresses or unusual service access patterns. Organizations should implement short ticket lifetimes, enable Kerberos armoring, use Protected Users security group for privileged accounts, deploy credential guard on endpoints, and monitor for suspicious ticket granting activity.