T1550.003 Elastic Security · Elastic

Detect Pass the Ticket in Elastic Security

Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls and credential requirements. Pass the Ticket (PtT) involves injecting a valid Kerberos Ticket Granting Ticket (TGT) or service ticket into a current Windows logon session, allowing authentication to resources as the ticket's owner without knowing the account password. Tickets are typically obtained via OS credential dumping against LSASS memory (using tools like Mimikatz sekurlsa::tickets or Rubeus dump) and then injected with Mimikatz kerberos::ptt or Rubeus ptt. A Silver Ticket attack forges a service ticket using a compromised service account's NTLM hash, granting access to that specific service. A Golden Ticket forges a TGT using the krbtgt account hash, effectively granting domain-wide persistence. 'Overpass the Hash' uses an NTLM hash to request a legitimate Kerberos TGT, bridging Pass the Hash and Pass the Ticket. Real-world users of this technique include APT29 (Kerberos ticket attacks during Nobelium campaigns), APT32 (Cobalt Kitty operation), BRONZE BUTLER (forged TGTs for persistent administrative access), and the SeaDuke malware. The technique is operationalized primarily through Mimikatz (kerberos::ptt, sekurlsa::tickets), Rubeus (asktgt, dump, ptt, tgtdeleg), Kekeo, and Impacket (getTGT.py, getST.py, psexec.py with ccache files).

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.003 Pass the Ticket
Canonical reference
https://attack.mitre.org/techniques/T1550/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and
    (
      process.name in~ ("mimikatz.exe", "rubeus.exe", "kekeo.exe") or
      process.args : ("kerberos::ptt", "sekurlsa::tickets", "sekurlsa::krbtgt", "asktgt", "asktgs", "tgtdeleg", "s4u2self", "s4u2proxy", "/ptt", "ptt /ticket", "/ticket:", "ticketer", "ticketConverter", "getTGT", "getST", "*.kirbi", "*.ccache", "harvest /interval", "dump /nowrap")
    )
  ]
|
any where event.type == "authentication" and
  winlog.event_id == "4769" and
  winlog.event_data.TicketEncryptionType == "0x17"
---
// Alternative standalone process query for PtT tool execution
process where event.type == "start" and
(
  process.name in~ ("mimikatz.exe", "rubeus.exe", "kekeo.exe") or
  process.command_line : ("*kerberos::ptt*", "*sekurlsa::tickets*", "*sekurlsa::krbtgt*", "*asktgt*", "*tgtdeleg*", "*s4u2self*", "*s4u2proxy*", "*/ptt*", "*ptt /ticket*", "*/ticket:*", "*ticketer*", "*getTGT*", "*getST*", "*.kirbi*", "*.ccache*", "*harvest /interval*", "*dump /nowrap*")
)
critical severity high confidence

Detects Pass the Ticket (T1550.003) via EQL sequence and standalone rules: known PtT tool execution (Mimikatz, Rubeus, Kekeo, Impacket) by process name or command-line arguments, correlated with RC4 Kerberos ticket requests (Event 4769, EncType 0x17) indicating possible ticket downgrade or forgery.

Data Sources

Elastic Endpoint SecurityWindows Security Event Log (via Winlogbeat)Sysmon (via Winlogbeat)

Required Tables

logs-endpoint.events.process-*logs-system.security-*winlogbeat-*

False Positives & Tuning

  • Legitimate Kerberos testing tools used by directory services or PKI teams in lab environments
  • RC4 encryption type legitimately configured for legacy application compatibility with older Windows or non-Windows systems
  • Penetration testers running authorized red team exercises using Rubeus or Mimikatz against their own environment
Download portable Sigma rule (.yml)

Other platforms for T1550.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz kerberos::ptt — Inject Existing Kerberos Ticket

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'sekurlsa::tickets /export' and 'kerberos::ptt'. Sysmon Event ID 10: ProcessAccess event targeting lsass.exe from mimikatz.exe with GrantedAccess 0x1010 or 0x1438. Sysmon Event ID 11: File Create events for .kirbi files in the working directory. Windows Security Event ID 4769 may appear on the domain controller if tickets are subsequently used for network authentication.

  2. Test 2Rubeus asktgt + ptt — Request and Inject TGT

    Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine containing 'asktgt', '/rc4', and '/ptt'. Windows Security Event ID 4768 on the domain controller: Kerberos Authentication Service with TicketEncryptionType=0x17 (RC4). Windows Security Event ID 4769 with TicketEncryptionType=0x17 if the TGT is then used to request service tickets. Sysmon Event ID 3: NetworkConnect from Rubeus.exe to the domain controller on port 88 (Kerberos).

  3. Test 3Rubeus dump — Extract All Tickets from LSASS

    Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine='dump /nowrap'. Sysmon Event ID 10: ProcessAccess targeting lsass.exe from Rubeus.exe with GrantedAccess values indicating memory read (0x1010 or similar). Sysmon Event ID 11: File Create for %TEMP%\rubeus_tickets.txt. Windows Defender (if enabled) may generate alert for Rubeus.exe based on signature or behavior detection.

  4. Test 4Impacket getTGT.py + psexec.py — Linux-to-Windows Pass the Ticket

    Expected signal: Domain Controller Windows Security Event ID 4768: Kerberos Authentication Service for <USERNAME> from the Linux attack host IP. Domain Controller Event ID 4769: Service ticket request for HOST SPN on <TARGET_HOST>. Target Windows host Event ID 4624: Network Logon (Type 3) from the Linux attack host IP authenticated via Kerberos. Sysmon Event ID 1 on target host: cmd.exe spawned by psexecsvc.exe (Impacket's service executable). Target host Event ID 7045: New service 'PSEXESVC' or similar installed.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1550.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access TokenT1550.002Pass the HashT1550.004Web Session Cookie

Related Techniques

T1003.001LSASS MemoryT1558.001Golden TicketT1558.002Silver TicketT1558.003KerberoastingT1550.002Pass the HashT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1484.001Group Policy Modification

Same Tactic: Defense Evasion

Popular Detections