CAPEC Details
Name Use of Captured Tickets (Pass The Ticket)
Likelyhood of attack Typical severity
Low High
Summary An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
Prerequisites The adversary needs physical access to the victim system. The use of a third-party credential harvesting tool.
Solutions Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them. Monitor system and domain logs for abnormal access.
Related Weaknesses
CWE ID Description
CWE-294 Authentication Bypass by Capture-replay
CWE-308 Use of Single-factor Authentication
CWE-522 Insufficiently Protected Credentials
Related CAPECS
CAPEC ID Description
CAPEC-151 Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.
CAPEC-652 An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. Kerberos is the default authentication method for Windows domains and is utilized for numerous authentication purposes. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the Windows domain or access to any resources the service account is privileged to access, among other things. Kerberos credentials can be obtained by an adversary via methods such as system breaches, network sniffing attacks, and/or brute force attacks against the Kerberos service account or the hash of a service ticket. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.
Taxonomy: ATTACK
Entry ID Entry Name
1550.003 Use Alternate Authentication Material:Pass The Ticket