CAPEC-645 Use of Captured Tickets (Pass The Ticket)

CAPEC ID: 645

CAPEC-645 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

Prerequisites

The adversary needs physical access to the victim system. The use of a third-party credential harvesting tool.

Potential Solutions / Mitigations

Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them. Monitor system and domain logs for abnormal access.

Related Weaknesses (CWE)

CWE ID Description
CWE-294 Authentication Bypass by Capture-replay
CWE-308 Use of Single-factor Authentication
CWE-522 Insufficiently Protected Credentials

Related CAPECs

CAPEC ID Description
CAPEC-151 Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-652 An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1550.003 Use Alternate Authentication Material:Pass The Ticket

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.