Pass-the-Ticket
What is Pass-the-Ticket?
Pass-the-TicketAn Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password.
Pass-the-Ticket (PtT) abuses Kerberos by injecting a previously stolen TGT or service ticket into the current logon session and using it to access resources as the original principal. Attackers harvest tickets from LSASS memory or from kirbi files on compromised hosts, typically with Mimikatz or Rubeus, then inject them on another machine to authenticate to SMB shares, MSSQL, or DCs. MITRE ATT&CK tracks the technique as T1550.003 (Use Alternate Authentication Material: Pass the Ticket). Defences include enabling Credential Guard, enforcing short ticket lifetimes, protecting privileged accounts with the Protected Users group, monitoring Kerberos events, and detecting Mimikatz-style memory access.
● Examples
- 01
Stealing a domain admin's TGT from a workstation and reusing it to connect to a domain controller.
- 02
Exporting tickets with Rubeus and injecting them on an attacker-controlled host to query AD.
● Frequently asked questions
What is Pass-the-Ticket?
An Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password. It belongs to the Attacks & Threats category of cybersecurity.
What does Pass-the-Ticket mean?
An Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password.
How does Pass-the-Ticket work?
Pass-the-Ticket (PtT) abuses Kerberos by injecting a previously stolen TGT or service ticket into the current logon session and using it to access resources as the original principal. Attackers harvest tickets from LSASS memory or from kirbi files on compromised hosts, typically with Mimikatz or Rubeus, then inject them on another machine to authenticate to SMB shares, MSSQL, or DCs. MITRE ATT&CK tracks the technique as T1550.003 (Use Alternate Authentication Material: Pass the Ticket). Defences include enabling Credential Guard, enforcing short ticket lifetimes, protecting privileged accounts with the Protected Users group, monitoring Kerberos events, and detecting Mimikatz-style memory access.
How do you defend against Pass-the-Ticket?
Defences for Pass-the-Ticket typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pass-the-Ticket?
Common alternative names include: PtT.
● Related terms
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
- attacks№ 447
Golden Ticket
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.
- attacks№ 1045
Silver Ticket
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.