Detect Pass the Ticket in Microsoft Sentinel
Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls and credential requirements. Pass the Ticket (PtT) involves injecting a valid Kerberos Ticket Granting Ticket (TGT) or service ticket into a current Windows logon session, allowing authentication to resources as the ticket's owner without knowing the account password. Tickets are typically obtained via OS credential dumping against LSASS memory (using tools like Mimikatz sekurlsa::tickets or Rubeus dump) and then injected with Mimikatz kerberos::ptt or Rubeus ptt. A Silver Ticket attack forges a service ticket using a compromised service account's NTLM hash, granting access to that specific service. A Golden Ticket forges a TGT using the krbtgt account hash, effectively granting domain-wide persistence. 'Overpass the Hash' uses an NTLM hash to request a legitimate Kerberos TGT, bridging Pass the Hash and Pass the Ticket. Real-world users of this technique include APT29 (Kerberos ticket attacks during Nobelium campaigns), APT32 (Cobalt Kitty operation), BRONZE BUTLER (forged TGTs for persistent administrative access), and the SeaDuke malware. The technique is operationalized primarily through Mimikatz (kerberos::ptt, sekurlsa::tickets), Rubeus (asktgt, dump, ptt, tgtdeleg), Kekeo, and Impacket (getTGT.py, getST.py, psexec.py with ccache files).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.003 Pass the Ticket
- Canonical reference
- https://attack.mitre.org/techniques/T1550/003/
KQL Detection Query
// T1550.003 — Pass the Ticket: Detects PtT tool execution and Kerberos ticket injection/abuse
let LookbackPeriod = 24h;
let PtTCommandPatterns = dynamic([
"kerberos::ptt", "sekurlsa::tickets", "sekurlsa::krbtgt",
"asktgt", "asktgs", "tgtdeleg", "s4u2self", "s4u2proxy",
"dump /nowrap", "/ptt", "ptt /ticket", "/ticket:",
"ticketer", "ticketConverter", "getTGT", "getST",
".kirbi", "ccache", "harvest /interval"
]);
// Signal 1: Known PtT tool execution by filename or command line
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("mimikatz.exe", "rubeus.exe", "kekeo.exe", "getTGT.py", "getST.py")
or ProcessCommandLine has_any (PtTCommandPatterns)
or (ProcessCommandLine has ".kirbi" and ProcessCommandLine has_any (["ptt", "inject", "import", "load"]))
| extend DetectionSignal = "PtT Tool Execution"
| extend SignalDetail = strcat("Tool: ", FileName, " | CmdLine: ", ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSignal, SignalDetail;
// Signal 2: RC4 (0x17) Kerberos service ticket requests — downgrade indicator for ticket forgery
let RC4KerberosTickets = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| extend TicketEncryptionType = extract(@'<Data Name="TicketEncryptionType">(.*?)</Data>', 1, EventData)
| extend ServiceName = extract(@'<Data Name="ServiceName">(.*?)</Data>', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">(.*?)</Data>', 1, EventData)
| extend IpAddress = extract(@'<Data Name="IpAddress">(.*?)</Data>', 1, EventData)
| extend TicketStatus = extract(@'<Data Name="Status">(.*?)</Data>', 1, EventData)
| where TicketEncryptionType == "0x17" // RC4-HMAC — suspicious if environment enforces AES
| where TicketStatus == "0x0" // Successful ticket issuance only
| where ServiceName !endswith "$" // Exclude machine account service tickets
| where TargetUserName !endswith "$" // Exclude machine accounts requesting tickets
| extend DetectionSignal = "RC4 Kerberos Service Ticket (Possible Downgrade/Forgery)"
| extend SignalDetail = strcat("User: ", TargetUserName, " | Service: ", ServiceName, " | EncType: ", TicketEncryptionType, " | SrcIP: ", IpAddress)
| project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = TargetUserName,
FileName = "", ProcessCommandLine = "", InitiatingProcessFileName = "",
InitiatingProcessCommandLine = "", DetectionSignal, SignalDetail;
// Signal 3: Unusual NewCredentials logon type (4624 Type 9) — often created by PtT injection on local machine
let NewCredentialsLogon = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4624
| extend LogonType = extract(@'<Data Name="LogonType">(.*?)</Data>', 1, EventData)
| extend SubjectUserName = extract(@'<Data Name="SubjectUserName">(.*?)</Data>', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">(.*?)</Data>', 1, EventData)
| extend AuthenticationPackageName = extract(@'<Data Name="AuthenticationPackageName">(.*?)</Data>', 1, EventData)
| where LogonType == "9" // NewCredentials — used when injecting tickets for outbound auth
| where AuthenticationPackageName == "Kerberos"
| where TargetUserName != SubjectUserName // Impersonating a different account
| extend DetectionSignal = "Kerberos NewCredentials Logon (Possible PtT Injection)"
| extend SignalDetail = strcat("Subject: ", SubjectUserName, " | Target: ", TargetUserName, " | AuthPkg: ", AuthenticationPackageName)
| project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName,
FileName = "", ProcessCommandLine = "", InitiatingProcessFileName = "",
InitiatingProcessCommandLine = "", DetectionSignal, SignalDetail;
union ToolExecution, RC4KerberosTickets, NewCredentialsLogon
| sort by Timestamp descDetects Pass the Ticket (PtT) attacks through three complementary signals: (1) known PtT tool execution — Mimikatz, Rubeus, Kekeo, and Impacket commands matched by filename and command line patterns including kerberos::ptt, sekurlsa::tickets, asktgt/asktgs/ptt, .kirbi file references, and ccache operations; (2) RC4 (0x17) Kerberos service ticket encryption on environments that should be using AES, a strong indicator of ticket forgery or downgrade attacks where forged tickets default to RC4; (3) Kerberos NewCredentials logon type (4624 Type 9) where the target account differs from the subject, which is the Windows mechanism used when injected tickets are used for outbound authentication without re-authentication. Unions all three signals for unified analyst review.
Data Sources
Required Tables
False Positives & Tuning
- Security scanning and vulnerability assessment tools (e.g., BloodHound, PingCastle) that enumerate Kerberos SPNs and request service tickets for discovery
- RC4 encryption remaining legitimate in environments with legacy systems (Windows Server 2003, older Unix Kerberos clients) that do not support AES, producing high volumes of 0x17 tickets
- Kerberos constrained delegation (S4U2Proxy) and resource-based constrained delegation used by legitimate application servers to impersonate users, generating s4u2self/s4u2proxy patterns
- IT troubleshooting using klist, setspn, or kerbtray tools, which may produce process events with Kerberos-related command lines
- Legitimate use of Rubeus or Kerberos testing tools by red team or penetration testing engagements with documented change tickets
Other platforms for T1550.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz kerberos::ptt — Inject Existing Kerberos Ticket
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'sekurlsa::tickets /export' and 'kerberos::ptt'. Sysmon Event ID 10: ProcessAccess event targeting lsass.exe from mimikatz.exe with GrantedAccess 0x1010 or 0x1438. Sysmon Event ID 11: File Create events for .kirbi files in the working directory. Windows Security Event ID 4769 may appear on the domain controller if tickets are subsequently used for network authentication.
- Test 2Rubeus asktgt + ptt — Request and Inject TGT
Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine containing 'asktgt', '/rc4', and '/ptt'. Windows Security Event ID 4768 on the domain controller: Kerberos Authentication Service with TicketEncryptionType=0x17 (RC4). Windows Security Event ID 4769 with TicketEncryptionType=0x17 if the TGT is then used to request service tickets. Sysmon Event ID 3: NetworkConnect from Rubeus.exe to the domain controller on port 88 (Kerberos).
- Test 3Rubeus dump — Extract All Tickets from LSASS
Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine='dump /nowrap'. Sysmon Event ID 10: ProcessAccess targeting lsass.exe from Rubeus.exe with GrantedAccess values indicating memory read (0x1010 or similar). Sysmon Event ID 11: File Create for %TEMP%\rubeus_tickets.txt. Windows Defender (if enabled) may generate alert for Rubeus.exe based on signature or behavior detection.
- Test 4Impacket getTGT.py + psexec.py — Linux-to-Windows Pass the Ticket
Expected signal: Domain Controller Windows Security Event ID 4768: Kerberos Authentication Service for <USERNAME> from the Linux attack host IP. Domain Controller Event ID 4769: Service ticket request for HOST SPN on <TARGET_HOST>. Target Windows host Event ID 4624: Network Logon (Type 3) from the Linux attack host IP authenticated via Kerberos. Sysmon Event ID 1 on target host: cmd.exe spawned by psexecsvc.exe (Impacket's service executable). Target host Event ID 7045: New service 'PSEXESVC' or similar installed.
References (13)
- https://attack.mitre.org/techniques/T1550/003/
- https://adsecurity.org/?p=556
- https://adsecurity.org/?p=1515
- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
- https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
- https://github.com/GhostPack/Rubeus
- https://github.com/SecureAuthCorp/impacket
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- https://www.mandiant.com/resources/blog/mandiant-no-easy-breach-dfir-lessons
- https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
- https://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
Unlock Pro Content
Get the full detection package for T1550.003 including response playbook, investigation guide, and atomic red team tests.