title: Pass the Ticket (T1550.003)
id: df00tech-t1550-003
status: experimental
description: "Adversaries may 'pass the ticket' using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls and credential requirements. Pass the Ticket (PtT) involves injecting a valid Kerberos Ticket Granting Ticket (TGT) or service ticket into a current Windows logon session, allowing authentication to resources as the ticket's owner without knowing the account password. Tickets are typically obtained via OS credential dumping against LSASS memory (using tools like Mimikatz sekurlsa::tickets or Rubeus dump) and then injected with Mimikatz kerberos::ptt or Rubeus ptt. A Silver Ticket attack forges a service ticket using a compromised service account's NTLM hash, granting access to that specific service. A Golden Ticket forges a TGT using the krbtgt account hash, effectively granting domain-wide persistence. 'Overpass the Hash' uses an NTLM hash to request a legitimate Kerberos TGT, bridging Pass the Hash and Pass the Ticket. Real-world users of this technique include APT29 (Kerberos ticket attacks during Nobelium campaigns), APT32 (Cobalt Kitty operation), BRONZE BUTLER (forged TGTs for persistent administrative access), and the SeaDuke malware. The technique is operationalized primarily through Mimikatz (kerberos::ptt, sekurlsa::tickets), Rubeus (asktgt, dump, ptt, tgtdeleg), Kekeo, and Impacket (getTGT.py, getST.py, psexec.py with ccache files)."
references:
  - https://attack.mitre.org/techniques/T1550/003/
  - https://df00tech.com/detections/T1550.003
author: df00tech
date: 2026/04/20
tags:
  - attack.t1550.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security scanning and vulnerability assessment tools (e.g., BloodHound, PingCastle) that enumerate Kerberos SPNs and request service tickets for discovery"
  - "RC4 encryption remaining legitimate in environments with legacy systems (Windows Server 2003, older Unix Kerberos clients) that do not support AES, producing high volumes of 0x17 tickets"
  - "Kerberos constrained delegation (S4U2Proxy) and resource-based constrained delegation used by legitimate application servers to impersonate users, generating s4u2self/s4u2proxy patterns"
  - "IT troubleshooting using klist, setspn, or kerbtray tools, which may produce process events with Kerberos-related command lines"
  - Legitimate use of Rubeus or Kerberos testing tools by red team or penetration testing engagements with documented change tickets
level: critical