EXPLORE
Sign In
← Back to Explore
T1550.003

Pass the Ticket

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by ...

Windows
11
Detections
3
Sources
3
Threat Actors

BY SOURCE

4sigma4splunk_escu3elastic

PROCEDURES (9)

Unusual2 detections

Auto-extracted: 2 detections for unusual

Spray2 detections

Auto-extracted: 2 detections for spray

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (3)

APT29APT32BRONZE BUTLER

DETECTIONS (11)

HackTool - KrbRelayUp Execution
sigmahigh
HackTool - Rubeus Execution
sigmacritical
HackTool - Rubeus Execution - ScriptBlock
sigmahigh
Kerberos Traffic from Unusual Process
elasticmedium
Mimikatz PassTheTicket CommandLine Parameters
splunk_escu
Potential Kerberos Attack via Bifrost
elastichigh
Rubeus Command Line Parameters
splunk_escu
Rubeus Kerberos Ticket Exports Through Winlogon Access
splunk_escu
Suspicious Kerberos Authentication Ticket Request
elastichigh
Uncommon Outbound Kerberos Connection
sigmamedium
Windows Process With NetExec Command Line Parameters
splunk_escu