Pass-the-Ticket (PtT) is an attack where an attacker steals a Kerberos ticket (a TGT or a service ticket) from a machine’s memory and injects it into their own session to authenticate as the ticket’s owner, no password or hash needed. It is the Kerberos counterpart of Pass-the-Hash. Tickets are harvested from LSASS with tools like Mimikatz or Rubeus, and a stolen TGT for a privileged user is a direct path to their access.
What Pass-the-Ticket is
In Kerberos, a valid ticket is proof of identity. Windows keeps the tickets of logged-in users in LSASS memory so they do not have to re-authenticate.
Pass-the-Ticket is stealing one of those tickets and presenting it as your own. A stolen TGT lets the attacker request service tickets as the victim; a stolen service ticket opens that one service. Because the ticket itself is the credential, the attacker never needs the password or the hash.
How it is done and payload
The attacker harvests tickets, then injects the one they want:
- Dump tickets from memory:
sekurlsa::tickets /export(Mimikatz) orRubeus.exe dump - Inject a stolen ticket into the current session:
kerberos::ptt ticket.kirbi(Mimikatz) orRubeus.exe ptt /ticket:<base64> - Act as the victim, for example requesting access to systems the stolen TGT allows.
Documented techniques shown for defensive context.
How to defend
- Enable Credential Guard so tickets in LSASS cannot be read by ordinary admin-level tools.
- Add privileged users to Protected Users, which shortens ticket lifetimes and hardens Kerberos for them.
- Keep Domain Admins off ordinary machines so their tickets are never sitting in a workstation’s memory.
- Limit ticket lifetimes and monitor for ticket export or injection activity.
- Detect abnormal Kerberos usage from unexpected hosts.
References
- [1]Microsoft: Kerberos Authentication Overview(Microsoft)
- [2]MITRE ATT&CK Enterprise Matrix(MITRE)
- [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)