conducting-pass-the-ticket-attack
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/conducting-pass-the-ticket-attackImpersonate users via stolen Kerberos tickets for red teaming.
- Enables lateral movement without password knowledge.
- Extracts and injects tickets from LSASS memory.
- Validates security controls through authorized testing.
- Delivers authenticated access to protected resources.
SKILL.md
.github/skills/conducting-pass-the-ticket-attackView on GitHub ↗
--- name: conducting-pass-the-ticket-attack description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro domain: cybersecurity subdomain: red-teaming tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, kerberos, pass-the-ticket, lateral-movement] version: "1.0" author: mahipal license: Apache-2.0 --- # Conducting Pass-the-Ticket Attack > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Overview Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user. ## When to Use - When conducting security assessments that involve conducting pass the ticket attack - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Familiarity with red teaming concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## MITRE ATT&CK Mapping - **T1550.003** - Use Alternate Authentication Material: Pass the Ticket - **T1003.001** - OS Credential Dumping: LSASS Memory - **T1558** - Steal or Forge Kerberos Tickets - **T1021.002** - Remote Services: SMB/Windows Admin Shares ## Workflow ### Phase 1: Ticket Extraction 1. Gain local admin access on target workstation 2. Dump Kerberos tickets from LSASS memory using Mimikatz or Rubeus 3. Export tickets in .kirbi format (Mimikatz) or base64 (Rubeus) 4. Identify high-value tickets (Domain Admin TGTs, service tickets to critical systems) ### Phase 2: Ticket Injection 1. Purge existing Kerberos tickets from attacker session 2. Import/inject stolen ticket into current session 3. Verify ticket is loaded and valid 4. Access target resources using injected ticket ### Phase 3: Lateral Movement 1. Access remote systems using the stolen ticket identity 2. Perform actions as the impersonated user 3. Collect additional credentials from accessed systems 4. Document evidence of successful lateral movement ## Tools and Resources | Tool | Purpose | Command | |------|---------|---------| | Mimikatz | Ticket export/import | sekurlsa::tickets /export, kerberos::ptt | | Rubeus | Ticket dumping and injection | dump, ptt, tgtdeleg | | Impacket ticketConverter | Convert between formats | ticketConverter.py ticket.kirbi ticket.ccache | | Impacket psexec/smbexec | Remote execution with ticket | KRB5CCNAME=ticket.ccache psexec.py | ## Detection Indicators - Event ID 4768 with unusual client addresses - Event ID 4769 service ticket requests from unexpected hosts - TGT usage from different IP than the TGT was issued to - Multiple authentications from same ticket across different workstations ## Validation Criteria - [ ] Kerberos tickets extracted from compromised host - [ ] Tickets injected into attacker session - [ ] Lateral movement demonstrated using stolen tickets - [ ] Evidence captured for reporting
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.