Detecting Pass the Hash, Pass the Ticket, Golden Ticket and Other Methods of Kerberos Credential Theft


Kerberos Credential Theft

Pass the Hash, Pass the Ticket and Kerberoasting are examples of the multitude of ways a hacker can gain access to account credentials and move laterally in a network.  Techniques such as these are observed in real world attacks and in red teams.  These actions are only a means to furthering the attacker’s progression and not the attacker’s ultimate end goals.  Cognito Detect’s coverage focuses on identifying the progression of an attacker to their end goal and not on the various ways credentials can be stolen.  Read on to learn more about these attack techniques and how Cognito Detect identifies their usage.

Pass The Hash [Mitre: T1075]

Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique.

Pass The Ticket [Mitre: T1097]

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system. 

In this technique, valid Kerberos tickets for Valid Accounts are captured by Credential Dumping. A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.

Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource.

Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account.

Kerberoasting [Mitre: T1208]

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.


Vectra’s Approach to Kerberos Attacks in Cognito Detect

Vectra focuses on deeply understanding and detecting how attackers actually use credentials to achieve their objectives not on the countless techniques with which credentials can be stolen.

Each of the methods detailed above achieve the same goal of accessing valid credential either in the form of a password, hash, key or ticket.  There are several other ways to find valid credentials; registry keys, start-up scripts, etc.  Regardless of how the credential is found an attacker will use it to move towards their ultimate goal within an environment.  

While identifying individual credential harvesting is possible, i.e. tracking the use of RC4 in Kerberoasting, looking for glitches in the signatures of tickets, or identifying tickets that show up in TGS which were not issued by an approved Active Directory.  The deployment of these individual attack focused solutions is cumbersome, since they require an always perfect knowledge of the state of the whole network to identify these activities.  In short, approaches to detecting these attacks individually work well in theory but are near impossible to deploy at scale.

Cognito Detect considers a different approach to identifying these techniques. The normal behaviors of accounts are monitored to understand what resources they use and in which ways.  This includes analysis of the resources normally used by everyone in a network versus those used seldomly by only a few powerful users.  Learning is done without relying on Active Directory configuration information, leading to an understanding of the actual network resource access behavior, instead of an idealized version of what occurs in the network.  This allows Cognito Detect to identify with high confidence when a given resource access should or should not be occurring in the environment.

Cognito Detect’s approach to detecting credential theft through their usage is a highly effective and future proof means for quickly and confidently identifying attackers.  In the future new weaknesses in the Kerberos protocol will be identified resulting in new attack techniques for stealing credentials.  Cognito Detect will continue to report on the behavioral signals of these attackers regardless of the techniques used to steal the credentials.


Relevant Detections in Cognito Detect

Privileged Access Analytics (PAA) Suite of Detections

Suspicious Admin

Suspicious Remote Execution


Was this article helpful?
0 out of 0 found this helpful

Download PDF


Article is closed for comments.