It's that time of the year again and, as per previous years, the bad guys are still extensively exploiting Kerberos to gain unauthorized access to systems. One method frequently being observed is Pass-The-Ticket attacks, which are carried out to extract valid Kerberos service tickets and use them for lateral movement across networks. We'll jump more into this attack method later on, but first we must understand the key functions of Kerberos.

What is Kerberos?

Kerberos is a Single Sign-On (SSO) network authentication access control service extensively used in Windows and other operating systems. It uses tickets exchanged between clients and servers to provide identity and authentication. At the center of the Kerberos infrastructure is the Key Distribution Center (KDC), which distributes an authenticated Ticket Granting Ticket (TGT) to authorized clients. Clients requesting access to specific resources are issued service tickets via the Ticket Granting Service (TGS), if they are authorized to access the resources.

How does a user authenticate via Kerberos?

  1. User enters their credentials into client.
  2. Credentials are encrypted and sent to KDC.
  3. KDC verifies user against database of valid credentials.
  4. KDC creates a TGT containing identification data.
  5. KDC sends TGT to the client for use.

The end result being the client has access to the system.

How does a user access other network resources?

  1. Client sends TGT to KDC.
  2. KDC verifies TGT is valid and authorized to access resource.
  3. KDC creates a service ticket.
  4. KDC sends service ticket to the client for use.
  5. Client sends service ticket to the resource server.
  6. Resource server verifies the service ticket is valid via KDC.

The end result being the client has access to the resource.

What do we know about service tickets?

Service tickets are encrypted and contain a variety of information including but not limited to a symmetric key, which is encrypted with the hash of a user's password, other user identification information including their IP address, request information and expiration time. Service tickets are typically valid for 10 hours, however this default value can be changed by an administrator.

This is why the KDC is of vital importance and, without its existence, users would be unable to authenticate or access the network. This does also emphasise the importance of the server hosting the KDC, as if this becomes compromised, then you are in big trouble!

What is a Pass-The-Ticket attack?

There are a variety of attacks methods out there, however one of high-significance in the Pass-The-Ticket attack, which enables the threat actor to succeed in lateral movement across the network. In essence, the TGT is dumped from LSASS in memory on the compromised client and then it is used on another client to request a new service ticket from the KDC, thus allowing the threat actor to move laterally and gain access to multiple different resources. Therefore, it can be difficult to differentiate legitimate use of authentication, to malicious use, as the valid user account was used during the process. Mimikatz can be used to carry out Pass-The-Ticket processes.

How can we identify malicious Kerberos activity?

This can be notoriously difficult and whilst as per usual the answer relies within logs, differentiating legitimate and malicious activity can be very difficult. The SYSTEM Windows event log files on your Domain Controllers will only be populated with Kerberos activity under the category 'Audit Kerberos Service Ticket Operations', if it is told to do so, therefore we need to make sure Kerberos event logging is enabled in the first place to allow us to monitor it.

This can be done by checking the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

To enable logging ensure the value is set to '1'.

To disable logging ensure the value is set to '0'.

What logs can we expect to see populated?

Associated to Kerberos, there are a variety of event IDs which can be populated within the logs, however of note for service tickets are the event IDs depicted below:

Event IDDescription
4769A Kerberos service ticket (TGS) was requested
4770A Kerberos service ticket (TGS) was renewed


Event ID 4769 -  Windows logs this event when service ticket requests to the KDC are both successful and unsuccessful.

Event ID 4770 - Windows logs this event, when service ticket renewals take place, if a user is still logged on and the ticket expired after 10 hours or the allotted time-frame.

Whilst you can expect to see a significant amount of activity, as entries are consistently populated when a user logs in and requests are made as users access multiple resources, any requests which appear to be excessive in numbers should be analyzed closer to determine whether or not this is legitimate activity, i.e. source client and IP address making the requests, frequency of requests and typical user behavior analysis. It is therefore of vital importance that this is incorporated into your Security Information and Event Management (SIEM) solution, to allow analysis to be more practical.

What real-world examples have used Pass-The-Ticket attacks?

Of most significance is the Ryuk ransomware campaign. Ryuk these days is typically delivered by TrickBot, which in turn is dropped onto clients via Emotet. The attack vector typically being phishing emails. This is quite significant, because one of the main goals of ransomware is to spread laterally and encrypt as much data as possible, rendering it useless to the owner. If Ryuk can spread laterally and compromise as many clients as possible, especially backup servers, then recovery from ransomware incidents is significantly hindered.