T1550.003

Pass the Ticket

Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls and credential requirements. Pass the Ticket (PtT) involves injecting a valid Kerberos Ticket Granting Ticket (TGT) or service ticket into a current Windows logon session, allowing authentication to resources as the ticket's owner without knowing the account password. Tickets are typically obtained via OS credential dumping against LSASS memory (using tools like Mimikatz sekurlsa::tickets or Rubeus dump) and then injected with Mimikatz kerberos::ptt or Rubeus ptt. A Silver Ticket attack forges a service ticket using a compromised service account's NTLM hash, granting access to that specific service. A Golden Ticket forges a TGT using the krbtgt account hash, effectively granting domain-wide persistence. 'Overpass the Hash' uses an NTLM hash to request a legitimate Kerberos TGT, bridging Pass the Hash and Pass the Ticket. Real-world users of this technique include APT29 (Kerberos ticket attacks during Nobelium campaigns), APT32 (Cobalt Kitty operation), BRONZE BUTLER (forged TGTs for persistent administrative access), and the SeaDuke malware. The technique is operationalized primarily through Mimikatz (kerberos::ptt, sekurlsa::tickets), Rubeus (asktgt, dump, ptt, tgtdeleg), Kekeo, and Impacket (getTGT.py, getST.py, psexec.py with ccache files).

Microsoft Sentinel / Defender

kusto

// T1550.003 — Pass the Ticket: Detects PtT tool execution and Kerberos ticket injection/abuse
let LookbackPeriod = 24h;
let PtTCommandPatterns = dynamic([
    "kerberos::ptt", "sekurlsa::tickets", "sekurlsa::krbtgt",
    "asktgt", "asktgs", "tgtdeleg", "s4u2self", "s4u2proxy",
    "dump /nowrap", "/ptt", "ptt /ticket", "/ticket:",
    "ticketer", "ticketConverter", "getTGT", "getST",
    ".kirbi", "ccache", "harvest /interval"
]);
// Signal 1: Known PtT tool execution by filename or command line
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("mimikatz.exe", "rubeus.exe", "kekeo.exe", "getTGT.py", "getST.py")
    or ProcessCommandLine has_any (PtTCommandPatterns)
    or (ProcessCommandLine has ".kirbi" and ProcessCommandLine has_any (["ptt", "inject", "import", "load"]))
| extend DetectionSignal = "PtT Tool Execution"
| extend SignalDetail = strcat("Tool: ", FileName, " | CmdLine: ", ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSignal, SignalDetail;
// Signal 2: RC4 (0x17) Kerberos service ticket requests — downgrade indicator for ticket forgery
let RC4KerberosTickets = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| extend TicketEncryptionType = extract(@'<Data Name="TicketEncryptionType">(.*?)</Data>', 1, EventData)
| extend ServiceName = extract(@'<Data Name="ServiceName">(.*?)</Data>', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">(.*?)</Data>', 1, EventData)
| extend IpAddress = extract(@'<Data Name="IpAddress">(.*?)</Data>', 1, EventData)
| extend TicketStatus = extract(@'<Data Name="Status">(.*?)</Data>', 1, EventData)
| where TicketEncryptionType == "0x17"  // RC4-HMAC — suspicious if environment enforces AES
| where TicketStatus == "0x0"           // Successful ticket issuance only
| where ServiceName !endswith "$"       // Exclude machine account service tickets
| where TargetUserName !endswith "$"    // Exclude machine accounts requesting tickets
| extend DetectionSignal = "RC4 Kerberos Service Ticket (Possible Downgrade/Forgery)"
| extend SignalDetail = strcat("User: ", TargetUserName, " | Service: ", ServiceName, " | EncType: ", TicketEncryptionType, " | SrcIP: ", IpAddress)
| project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = TargetUserName,
         FileName = "", ProcessCommandLine = "", InitiatingProcessFileName = "",
         InitiatingProcessCommandLine = "", DetectionSignal, SignalDetail;
// Signal 3: Unusual NewCredentials logon type (4624 Type 9) — often created by PtT injection on local machine
let NewCredentialsLogon = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4624
| extend LogonType = extract(@'<Data Name="LogonType">(.*?)</Data>', 1, EventData)
| extend SubjectUserName = extract(@'<Data Name="SubjectUserName">(.*?)</Data>', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">(.*?)</Data>', 1, EventData)
| extend AuthenticationPackageName = extract(@'<Data Name="AuthenticationPackageName">(.*?)</Data>', 1, EventData)
| where LogonType == "9"   // NewCredentials — used when injecting tickets for outbound auth
| where AuthenticationPackageName == "Kerberos"
| where TargetUserName != SubjectUserName  // Impersonating a different account
| extend DetectionSignal = "Kerberos NewCredentials Logon (Possible PtT Injection)"
| extend SignalDetail = strcat("Subject: ", SubjectUserName, " | Target: ", TargetUserName, " | AuthPkg: ", AuthenticationPackageName)
| project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName,
         FileName = "", ProcessCommandLine = "", InitiatingProcessFileName = "",
         InitiatingProcessCommandLine = "", DetectionSignal, SignalDetail;
union ToolExecution, RC4KerberosTickets, NewCredentialsLogon
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Logon Session: Logon Session Creation Active Directory: Active Directory Credential Request Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Security scanning and vulnerability assessment tools (e.g., BloodHound, PingCastle) that enumerate Kerberos SPNs and request service tickets for discovery
RC4 encryption remaining legitimate in environments with legacy systems (Windows Server 2003, older Unix Kerberos clients) that do not support AES, producing high volumes of 0x17 tickets
Kerberos constrained delegation (S4U2Proxy) and resource-based constrained delegation used by legitimate application servers to impersonate users, generating s4u2self/s4u2proxy patterns
IT troubleshooting using klist, setspn, or kerbtray tools, which may produce process events with Kerberos-related command lines
Legitimate use of Rubeus or Kerberos testing tools by red team or penetration testing engagements with documented change tickets

Splunk

spl

// T1550.003 — Pass the Ticket: Tool execution detection via Sysmon + Kerberos anomaly detection
// Signal 1: PtT tool execution via Sysmon EventCode=1 (Process Create)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
    Image IN ("*\\mimikatz.exe", "*\\rubeus.exe", "*\\kekeo.exe")
    OR CommandLine IN ("*kerberos::ptt*", "*sekurlsa::tickets*", "*sekurlsa::krbtgt*")
    OR CommandLine IN ("*asktgt*", "*asktgs*", "*tgtdeleg*", "*s4u2self*", "*s4u2proxy*")
    OR CommandLine IN ("*/ptt*", "*ptt /ticket*", "*/ticket:*", "*dump /nowrap*")
    OR CommandLine IN ("*ticketer*", "*ticketConverter*", "*getTGT*", "*getST*")
    OR (CommandLine="*.kirbi*" AND (CommandLine="*ptt*" OR CommandLine="*inject*" OR CommandLine="*import*"))
    OR CommandLine IN ("*harvest /interval*", "*.ccache*")
)
| eval DetectionSignal="PtT Tool Execution"
| eval IsMimikatz=if(match(lower(Image), "mimikatz") OR match(lower(CommandLine), "kerberos::ptt|sekurlsa::tickets"), 1, 0)
| eval IsRubeus=if(match(lower(Image), "rubeus") OR match(lower(CommandLine), "asktgt|asktgs|tgtdeleg|/ptt|\.kirbi"), 1, 0)
| eval IsImpacket=if(match(lower(CommandLine), "getTGT|getST|ticketer|ccache"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionSignal, IsMimikatz, IsRubeus, IsImpacket
| eval source_query="sysmon_process"

| append [
    // Signal 2: RC4 Kerberos service ticket requests (Event 4769 — possible ticket forgery)
    search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
    | rex field=_raw "TicketEncryptionType\:\s+(?<TicketEncryptionType>0x\w+)"
    | rex field=_raw "ServiceName\:\s+(?<ServiceName>[^\r\n]+)"
    | rex field=_raw "Account Name\:\s+(?<TargetUserName>[^\r\n]+)"
    | rex field=_raw "Client Address\:\s+(?<SrcIP>[^\r\n]+)"
    | rex field=_raw "Failure Code\:\s+(?<FailureCode>0x\w+)"
    | where TicketEncryptionType="0x17"
    | where FailureCode="0x0" OR isnull(FailureCode)
    | where NOT match(ServiceName, "\\$$")
    | where NOT match(TargetUserName, "\\$$")
    | eval DetectionSignal="RC4 Kerberos Downgrade (Possible Forgery)"
    | eval IsMimikatz=0, IsRubeus=0, IsImpacket=0
    | table _time, host, TargetUserName as User, ServiceName as Image, TicketEncryptionType as CommandLine, SrcIP as ParentImage, DetectionSignal, IsMimikatz, IsRubeus, IsImpacket
    | eval source_query="kerberos_rc4"
]

| append [
    // Signal 3: Kerberos NewCredentials logon (Event 4624 LogonType=9) — PtT local injection pattern
    search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
    | rex field=_raw "Logon Type\:\s+(?<LogonType>\d+)"
    | rex field=_raw "Authentication Package\:\s+(?<AuthPackage>[^\r\n]+)"
    | rex field=_raw "Account Name\:\s+(?<SubjectUser>[^\r\n]+)"
    | rex field=_raw "New Logon.*?Account Name\:\s+(?<TargetUser>[^\r\n]+)" flags=s
    | where LogonType="9"
    | where AuthPackage="Kerberos"
    | where SubjectUser!=TargetUser
    | eval DetectionSignal="Kerberos NewCredentials Logon (Possible PtT Injection)"
    | eval IsMimikatz=0, IsRubeus=0, IsImpacket=0
    | table _time, host, SubjectUser as User, TargetUser as Image, AuthPackage as CommandLine, LogonType as ParentImage, DetectionSignal, IsMimikatz, IsRubeus, IsImpacket
    | eval source_query="newcreds_logon"
]

| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Logon Session: Logon Session Creation Active Directory: Active Directory Credential Request Sysmon Event ID 1 Windows Security Event IDs 4769, 4624

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Security scanning tools (BloodHound, PingCastle) requesting Kerberos service tickets for SPN enumeration, producing high volumes of 4769 events
RC4 encryption remaining in use for legacy compatibility (older Unix Kerberos, Windows Server 2003 clients), creating large numbers of legitimate 0x17 tickets
Legitimate application servers using Kerberos constrained delegation (S4U2Proxy) to impersonate users, matching s4u2self/s4u2proxy command line patterns
Security researchers and red team operators using Rubeus, Mimikatz, or Impacket in authorized lab environments or pentest engagements
NewCredentials logon events from legitimate RunAs /netonly usage by administrators managing multiple domain accounts simultaneously

IBM QRadar (AQL)

sql

-- Signal 1: PtT tool execution from Windows Security Event 4688 or Sysmon 1
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  'PtT Tool Execution' AS detection_signal
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (12, 14, 352)
  AND (
    LOWER("Process Name") IN ('mimikatz.exe', 'rubeus.exe', 'kekeo.exe')
    OR LOWER("Command") ILIKE '%kerberos::ptt%'
    OR LOWER("Command") ILIKE '%sekurlsa::tickets%'
    OR LOWER("Command") ILIKE '%sekurlsa::krbtgt%'
    OR LOWER("Command") ILIKE '%asktgt%'
    OR LOWER("Command") ILIKE '%tgtdeleg%'
    OR LOWER("Command") ILIKE '%s4u2self%'
    OR LOWER("Command") ILIKE '%s4u2proxy%'
    OR LOWER("Command") ILIKE '%/ptt%'
    OR LOWER("Command") ILIKE '%.kirbi%'
    OR LOWER("Command") ILIKE '%.ccache%'
    OR LOWER("Command") ILIKE '%ticketer%'
    OR LOWER("Command") ILIKE '%getTGT%'
    OR LOWER("Command") ILIKE '%getST%'
    OR LOWER("Command") ILIKE '%harvest /interval%'
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
UNION ALL
-- Signal 2: RC4 Kerberos service ticket request (Event 4769, EncType 0x17)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Service Name" AS process_name,
  "Ticket Encryption Type" AS command_line,
  'RC4 Kerberos Downgrade (Possible Forgery)' AS detection_signal
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (12, 14)
  AND QIDNAME(qid) ILIKE '%Kerberos Service Ticket Operations%'
  AND "Ticket Encryption Type" = '0x17'
  AND "Failure Code" = '0x0'
  AND username NOT LIKE '%$'
  AND "Service Name" NOT LIKE '%$'
  AND DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
UNION ALL
-- Signal 3: NewCredentials logon type 9 with Kerberos (Event 4624)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "Logon Type" AS process_name,
  "Authentication Package" AS command_line,
  'Kerberos NewCredentials Logon (Possible PtT Injection)' AS detection_signal
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (12, 14)
  AND QIDNAME(qid) ILIKE '%An account was successfully logged on%'
  AND "Logon Type" = '9'
  AND "Authentication Package" = 'Kerberos'
  AND DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY event_time DESC

critical severity medium confidence

Data Sources

Windows Security Event Log via QRadar DSM Sysmon via QRadar DSM Microsoft Windows DHCP

Required Tables

events

False Positives

Legacy Windows environments with RC4 encryption explicitly configured for backward compatibility will generate 4769 events with EncType 0x17 legitimately
RunAs /netonly commands used by IT administrators to run tools under alternate credentials create logon type 9 events with Kerberos
Security assessment tools or authorized red team tooling matching PtT command-line patterns during scheduled engagements

Sumo Logic CSE

sql

// Signal 1: PtT Tool Execution — Sysmon EventCode 1
_sourceCategory=windows/sysmon EventCode=1
| parse regex "(?i)<Data Name='Image'>(?<Image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='CommandLine'>(?<CommandLine>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='ParentImage'>(?<ParentImage>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?<User>[^<]+)</Data>" nodrop
| where (Image matches "*mimikatz.exe" OR Image matches "*rubeus.exe" OR Image matches "*kekeo.exe")
   OR (CommandLine matches "*kerberos::ptt*" OR CommandLine matches "*sekurlsa::tickets*"
       OR CommandLine matches "*sekurlsa::krbtgt*" OR CommandLine matches "*asktgt*"
       OR CommandLine matches "*tgtdeleg*" OR CommandLine matches "*s4u2self*"
       OR CommandLine matches "*s4u2proxy*" OR CommandLine matches "*/ptt*"
       OR CommandLine matches "*.kirbi*" OR CommandLine matches "*.ccache*"
       OR CommandLine matches "*ticketer*" OR CommandLine matches "*getTGT*"
       OR CommandLine matches "*getST*" OR CommandLine matches "*harvest /interval*"
       OR CommandLine matches "*dump /nowrap*")
| eval DetectionSignal="PtT Tool Execution"
| eval ToolType=if(CommandLine matches "*kerberos::ptt*" OR CommandLine matches "*sekurlsa*", "Mimikatz",
    if(CommandLine matches "*asktgt*" OR CommandLine matches "*.kirbi*" OR CommandLine matches "*tgtdeleg*", "Rubeus",
    if(CommandLine matches "*getTGT*" OR CommandLine matches "*getST*" OR CommandLine matches "*.ccache*", "Impacket", "Unknown")))
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionSignal, ToolType

// Signal 2: RC4 Kerberos Service Ticket (Event 4769)
// Run separately or union:
// _sourceCategory=windows/security EventCode=4769
// | parse regex "Ticket Encryption Type:\s+(?<TicketEncryptionType>0x\w+)" nodrop
// | parse regex "Service Name:\s+(?<ServiceName>[^\r\n]+)" nodrop
// | parse regex "Account Name:\s+(?<TargetUser>[^\r\n]+)" nodrop
// | parse regex "Client Address:\s+(?<SrcIP>[^\r\n]+)" nodrop
// | parse regex "Failure Code:\s+(?<FailureCode>0x\w+)" nodrop
// | where TicketEncryptionType="0x17"
// | where FailureCode="0x0" OR isNull(FailureCode)
// | where !matches(ServiceName, ".*\\$")
// | where !matches(TargetUser, ".*\\$")
// | eval DetectionSignal="RC4 Kerberos Downgrade (Possible Forgery)"
// | fields _messageTime, _sourceHost, TargetUser, ServiceName, TicketEncryptionType, SrcIP, DetectionSignal

// Signal 3: NewCredentials Logon Type 9 (Event 4624)
// _sourceCategory=windows/security EventCode=4624
// | parse regex "Logon Type:\s+(?<LogonType>\d+)" nodrop
// | parse regex "Authentication Package:\s+(?<AuthPackage>[^\r\n]+)" nodrop
// | parse regex field=_raw "Security ID.*?Account Name:\s+(?<SubjectUser>[^\r\n]+)" nodrop
// | where LogonType="9" AND AuthPackage="Kerberos"
// | eval DetectionSignal="Kerberos NewCredentials Logon (Possible PtT Injection)"
// | fields _messageTime, _sourceHost, SubjectUser, AuthPackage, LogonType, DetectionSignal

critical severity high confidence

Data Sources

Windows Sysmon logs via Sumo Logic Collector Windows Security Event Log via Sumo Logic Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Authorized penetration testing or red team exercises using Rubeus or Mimikatz will match tool execution patterns
IT administrators using RunAs /netonly to authenticate as service accounts for remote management generate logon type 9 with Kerberos
Legacy Kerberos-capable systems or printers configured to request RC4-encrypted tickets (0x17) from the KDC in environments without AES enforcement

Google Chronicle / SecOps

yaral

rule pass_the_ticket_ptt_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Pass the Ticket (T1550.003) via known PtT tool execution and Kerberos anomalies"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550.003"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    // Signal 1: PtT tool execution by process name
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname
    (
      re.regex($e1.target.process.file.full_path, `(?i)(mimikatz|rubeus|kekeo)\.exe$`) or
      re.regex($e1.target.process.command_line, `(?i)(kerberos::ptt|sekurlsa::tickets|sekurlsa::krbtgt)`) or
      re.regex($e1.target.process.command_line, `(?i)(asktgt|asktgs|tgtdeleg|s4u2self|s4u2proxy)`) or
      re.regex($e1.target.process.command_line, `(?i)(/ptt|ptt\s+/ticket|/ticket:)`) or
      re.regex($e1.target.process.command_line, `(?i)(ticketer|ticketConverter|getTGT|getST)`) or
      re.regex($e1.target.process.command_line, `(?i)(harvest\s+/interval|dump\s+/nowrap)`) or
      re.regex($e1.target.process.command_line, `(?i)\.(kirbi|ccache)`)
    )

  condition:
    $e1
}

rule pass_the_ticket_rc4_kerberos {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects RC4 Kerberos service ticket requests (Event 4769, EncType 0x17) indicating possible Silver/Golden Ticket or PtT downgrade attack"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e2.metadata.event_type = "USER_UNCATEGORIZED"
    $e2.metadata.product_event_type = "4769"
    $e2.principal.hostname = $hostname
    $e2.network.application_protocol = "KERBEROS"
    // RC4 encryption type 0x17 indicates possible downgrade or ticket forgery
    $e2.security_result.detection_fields["TicketEncryptionType"] = "0x17"
    // Exclude machine accounts
    not re.regex($e2.target.user.userid, `\$$`)
    not re.regex($e2.target.resource.name, `\$$`)

  condition:
    $e2
}

rule pass_the_ticket_newcredentials_logon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Kerberos logon type 9 (NewCredentials, Event 4624) used during PtT ticket injection for outbound lateral movement"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550.003"
    severity = "HIGH"
    priority = "MEDIUM"

  events:
    $e3.metadata.event_type = "USER_LOGIN"
    $e3.metadata.product_event_type = "4624"
    $e3.principal.hostname = $hostname
    $e3.extensions.auth.auth_details = "9"  // LogonType 9 = NewCredentials
    $e3.extensions.auth.mechanism = "KERBEROS"
    // Subject and target users must differ — impersonation indicator
    $e3.principal.user.userid != $e3.target.user.userid

  condition:
    $e3
}

critical severity high confidence

Data Sources

Google Chronicle UDM Windows Security Event Log ingested via Chronicle forwarder Endpoint telemetry via Chronicle agent

Required Tables

UDM events — PROCESS_LAUNCH, USER_UNCATEGORIZED, USER_LOGIN

False Positives

Security tooling or vulnerability scanners that spawn processes with Kerberos-related arguments in authorized testing environments
Environments with legacy RC4 Kerberos configurations for older applications will legitimately generate 4769 events with EncType 0x17
Administrators using runas /netonly to access network resources under alternate credentials generate type 9 logon events

CrowdStrike LogScale (CQL)

cql

// Signal 1: PtT Tool Execution — Falcon ProcessRollup2 events
#event_simpleName=ProcessRollup2
| FileName = /(?i)(mimikatz|rubeus|kekeo)\.exe/ OR
  CommandLine = /(?i)(kerberos::ptt|sekurlsa::tickets|sekurlsa::krbtgt)/  OR
  CommandLine = /(?i)(asktgt|asktgs|tgtdeleg|s4u2self|s4u2proxy)/ OR
  CommandLine = /(?i)(/ptt|ptt\s+/ticket|/ticket:)/ OR
  CommandLine = /(?i)(ticketer|ticketConverter|getTGT|getST)/ OR
  CommandLine = /(?i)(harvest\s+/interval|dump\s+/nowrap)/ OR
  CommandLine = /(?i)\.(kirbi|ccache)/
| eval ToolType = case(
    FileName = /(?i)mimikatz/ OR CommandLine = /(?i)kerberos::ptt|sekurlsa/, "Mimikatz",
    FileName = /(?i)rubeus/ OR CommandLine = /(?i)asktgt|tgtdeleg|\.kirbi/, "Rubeus",
    CommandLine = /(?i)getTGT|getST|\.ccache/, "Impacket",
    true(), "Unknown"
  )
| eval DetectionSignal = "PtT Tool Execution"
| table([_timstamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ToolType, DetectionSignal])
| sort(field=_timstamp, order=desc)

// Signal 2: Kerberos RC4 Ticket Request (Windows Security Event 4769 via Falcon)
// Run as separate saved search:
// #event_simpleName=KerberosTicketGranted OR EventCode=4769
// | TicketEncryptionType = "0x17"
// | UserName != /\$$/ AND ServiceName != /\$$/
// | eval DetectionSignal = "RC4 Kerberos Downgrade"
// | table([_timstamp, ComputerName, UserName, ServiceName, TicketEncryptionType, ClientAddress, DetectionSignal])

// Signal 3: Kerberos LogonType 9 NewCredentials (Windows Security Event 4624)
// #event_simpleName=UserLogon
// | LogonType = "9"
// | AuthenticationPackage = "Kerberos"
// | eval DetectionSignal = "Kerberos NewCredentials Logon (PtT)"
// | table([_timstamp, ComputerName, UserName, LogonType, AuthenticationPackage, DetectionSignal])

// Hunting: Abnormal Kerberos ticket requests per host (volumetric)
// #event_simpleName=ProcessRollup2
// | CommandLine = /(?i)(asktgt|asktgs|tgtdeleg|\.kirbi|\.ccache)/
// | groupBy([ComputerName, UserName], function=count(), as=TicketOpCount)
// | TicketOpCount > 5
// | sort(field=TicketOpCount, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2) Falcon Windows Security Event Log forwarding (Event 4769, 4624)

Required Tables

ProcessRollup2 KerberosTicketGranted (if available) UserLogon

False Positives

Authorized red team or pen test operations running Rubeus or Mimikatz against sanctioned targets during scheduled engagements
Domain-joined systems in environments that have not enforced AES-only Kerberos will legitimately request RC4-encrypted (0x17) tickets
IT helpdesk tools or remote management utilities using runas /netonly to access resources under service account credentials generate logon type 9 events

Last updated: 2026-04-20 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1550.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access Token T1550.002Pass the Hash T1550.004Web Session Cookie

Pass the Ticket

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections