Conducting Pass-the-Ticket Attack
Overview
Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user.
MITRE ATT&CK Mapping
- T1550.003 - Use Alternate Authentication Material: Pass the Ticket
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1558 - Steal or Forge Kerberos Tickets
- T1021.002 - Remote Services: SMB/Windows Admin Shares
Implementation Steps
Phase 1: Ticket Extraction
- Gain local admin access on target workstation
- Dump Kerberos tickets from LSASS memory using Mimikatz or Rubeus
- Export tickets in .kirbi format (Mimikatz) or base64 (Rubeus)
- Identify high-value tickets (Domain Admin TGTs, service tickets to critical systems)
Phase 2: Ticket Injection
- Purge existing Kerberos tickets from attacker session
- Import/inject stolen ticket into current session
- Verify ticket is loaded and valid
- Access target resources using injected ticket
Phase 3: Lateral Movement
- Access remote systems using the stolen ticket identity
- Perform actions as the impersonated user
- Collect additional credentials from accessed systems
- Document evidence of successful lateral movement
Tools and Resources
| Tool | Purpose | Command |
|---|---|---|
| Mimikatz | Ticket export/import | sekurlsa::tickets /export, kerberos::ptt |
| Rubeus | Ticket dumping and injection | dump, ptt, tgtdeleg |
| Impacket ticketConverter | Convert between formats | ticketConverter.py ticket.kirbi ticket.ccache |
| Impacket psexec/smbexec | Remote execution with ticket | KRB5CCNAME=ticket.ccache psexec.py |
Detection Indicators
- Event ID 4768 with unusual client addresses
- Event ID 4769 service ticket requests from unexpected hosts
- TGT usage from different IP than the TGT was issued to
- Multiple authentications from same ticket across different workstations
Validation Criteria
- [ ] Kerberos tickets extracted from compromised host
- [ ] Tickets injected into attacker session
- [ ] Lateral movement demonstrated using stolen tickets
- [ ] Evidence captured for reporting
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add conducting-pass-the-ticket-attack
# Or load dynamically via MCP
grc.load_skill("conducting-pass-the-ticket-attack")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.