This note documents detection patterns related to Pass the Ticket within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4769 | Kerberos service ticket request | High | Service ticket activity using injected Kerberos tickets. Especially critical when the TGT was never requested before from the attacker's system (no associated event 4768) |
| Security | 4624 | Successful logon | Critical | LogonType 3 (network) or 9 (NewCredentials) commonly appears when tickets are injected. |
| Security | 4672 | Special privileges assigned | High | Privileged sessions may follow ticket injection if attacker uses privileged tickets. |
| Security | 4770 | Kerberos service ticket renewed | Medium | Ticket reuse or renewal patterns may indicate ticket replay. |
| Sysmon | 1 | Process creation | Critical | Execution of tools such as Rubeus or Mimikatz used to inject Kerberos tickets into LSASS. |
| Sysmon | 10 | Process accessed LSASS | High | Access to LSASS memory to inject or manipulate Kerberos tickets. |
| Sysmon | 3 | Network connection | Medium | Connections to domain resources immediately after ticket injection. |
| Security | 4771 | Kerberos Pre-Authentication Failed | High | Pre-Authentication type 2 (Encrypted Timestamp) with Failure Code 0x18 (Pre-authentication information was invalid) would indicate that the client sent a Kerberos AS-REQ with a pre-authentication encrypted timestamp, but the KDC couldn’t decrypt it. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Kerberos authentication without credential usage | Access to services without password authentication | Critical | Indicates ticket reuse rather than standard authentication. |
| Unusual service access patterns | Account accessing services not normally used | High | Possible attacker exploring environment. |
| Authentication from unusual host | User authenticating from new workstation | High | Possible lateral movement using injected ticket. |
| Rapid service access across multiple hosts | Multiple Kerberos service ticket uses in short window | High | Suggests attacker moving laterally. |
| LSASS access prior to authentication | Processes accessing LSASS before service access | Critical | Ticket extraction or injection likely occurred. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts and injects Kerberos tickets using kerberos::ptt. |
| Rubeus | Performs Pass the Ticket using ptt functionality. |
| Impacket | Uses Kerberos tickets for authentication to remote services. |
| Kekeo | Kerberos manipulation toolkit. |
| Invoke-Mimikatz | PowerShell wrapper for Mimikatz functionality. |
Relevant Artifacts
- Domain controller Security logs (4769, 4624, 4672)
- Kerberos operational logs
- Sysmon logs (1, 3, 10)
- LSASS memory artifacts
- EDR telemetry detecting credential manipulation tools
- Network authentication telemetry
- Prefetch artifacts for Mimikatz or Rubeus
- Kerberos ticket cache analysis
MITRE ATT&CK References
- T1550 Use Alternate Authentication Material
- T1550.003 Pass the Ticket
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify Kerberos service ticket activity (4769) or suspicious logons (4624).
- What host generated the event?
- Identify workstation performing authentication.
- Is the account expected to perform this action?
- Investigate unusual service access patterns.
- Pivot:
- Source host → inspect LSASS access events or execution of Mimikatz / Rubeus.
- Account → review privileges associated with the ticket.
- Network → analyze lateral movement patterns.
- Confirm exploitation
- Determine whether attacker injected or reused Kerberos ticket for authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4624 and LogonType in (3,9)
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
SecurityEvent
| where EventID == 4769
| summarize count() by TargetUserName, ServiceName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4624"
Sigma
title: Suspicious Kerberos Ticket Usage
id: pass-the-ticket-detection
status: experimental
description: Detects suspicious Kerberos ticket usage potentially indicating Pass the Ticket attack
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType:
- 3
- 9
condition: selection
fields:
- TargetUserName
- IpAddress
falsepositives:
- Legitimate Kerberos authentication activity
level: medium
tags:
- attack.lateral_movement
- attack.t1550.003
Splunk
index=main earliest=1690392405 latest=1690451745 source="WinEventLog:Security" user!=*$ EventCode IN (4768,4769,4770)
| rex field=user "(?<username>[^@]+)"
| rex field=src_ip "(\:\:ffff\:)?(?<src_ip_4>[0-9\.]+)"
| transaction username, src_ip_4 maxspan=10h keepevicted=true startswith=(EventCode=4768)
| where closed_txn=0
| search NOT user="*$@*"
| table _time, ComputerName, username, src_ip_4, service_name, category
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Credential protection | Protect LSASS using Credential Guard or EDR | Critical | Prevents ticket extraction or injection. |
| Privileged access management | Restrict use of privileged accounts | High | Reduces risk of ticket theft. |
| Monitoring | Alert on LSASS access and Kerberos anomalies | High | Early detection of ticket manipulation. |
| Network segmentation | Limit lateral movement opportunities | High | Reduces impact of stolen tickets. |
| Session management | Reduce Kerberos ticket lifetime where possible | Medium | Limits usefulness of stolen tickets. |