Pass the Ticket
Pass the ticket (PtT) is a type of lateral movement attack that is used to access a remote system without having access to an account’s password.
In Secureworks® Taegis™ XDR, the Pass the Ticket detector monitors Windows Event logs representing interactions with Kerberos; ID’s 4768, 4769, 4770. The detector correlates these Windows Event Entries across monitored infrastructure to look for irregularities in Kerberos ticket use and requests. The fixed correlation window is set to the default Kerberos ticket duration of seven days.
There may be cases where unmonitored infrastructure or configurations within kerberos (changing default lease time, for example) that may cause false positive alerts. The detector has thresholds to ensure that most of these are kept to a minimum.
Pass the Ticket Alert
Inputs ⫘
Windows Event Logs representing Kerberos system interactions, ingested and normalized into the Secureworks® Taegis™ XDR data lake. Data latency is about an hour. The detector correlates daily during a nightly batch process, with alert latency at a minimum of two hours and a maximum of 26 hours. Where there is aggregation of raw events to a single alert, the timestamp of the alert is of the earliest raw event.
Outputs ⫘
Pass the Ticket alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.
MITRE ATT&CK Category ⫘
MITRE Enterprise ATT&CK - Defense Evasion, Lateral Movement - Pass the Ticket. For more information, see MITRE Technique T1550.003.
Configuration Options ⫘
None
Detector Requirements ⫘
- Auth