Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Pass-the-ticket in Cybersecurity?
Pass the ticket is a credential theft technique where attackers reuse Kerberos tickets to impersonate users without needing their passwords. In cybersecurity, pass the ticket attacks exploit weak ticket protection in Active Directory environments to gain persistent, lateral access.
It is a post-exploitation technique targeting Kerberos authentication. Instead of stealing plaintext credentials, attackers extract valid Kerberos tickets—typically Ticket Granting Tickets (TGTs) or service tickets—and reuse them to authenticate as legitimate users.
This method bypasses traditional password-based defenses and is particularly effective in domain environments.
| Aspect | Description |
| Target Protocol | Kerberos |
| Credential Used | TGT or Service Ticket |
| Attack Stage | Post-exploitation |
| Goal | Lateral movement, privilege escalation |
| Detection Difficulty | High (no password usage) |
How Pass-the-ticket works
Attackers rely on compromised endpoints to extract Kerberos tickets from memory. Tools like Mimikatz facilitate ticket dumping and injection.
- Compromise a machine (via phishing, malware, etc.)
- Extract Kerberos tickets from LSASS memory
- Inject the ticket into another session
- Access network resources as the victim user
Unlike Pass-the-Hash, PtT does not require NTLM hashes, making it stealthier in Kerberos-enabled networks.
Types of tickets used in PtT attacks
Kerberos issues multiple ticket types, but attackers focus on the following:
| Ticket Type | Purpose | Risk Level |
| TGT (Ticket Granting Ticket) | Allows requesting other tickets | High |
| TGS (Service Ticket) | Grants access to specific services | Medium |
TGTs are particularly dangerous because they enable broad impersonation across services.
Why Pass-the-ticket is dangerous
PtT attacks are difficult to detect because they use legitimate authentication artifacts. Traditional defenses that monitor login attempts or password anomalies often fail.
- No password cracking required
- Minimal footprint in logs
- Enables long-term persistence
- Supports privilege escalation
Attackers can operate silently within a network for extended periods using valid tickets.
Detection and mitigation strategies
Organizations must focus on visibility and endpoint hardening to counter PtT attacks.
- Enable Credential Guard to protect LSASS memory
- Use Kerberos armoring (FAST)
- Monitor abnormal ticket usage patterns
- Implement least privilege access
- Rotate Kerberos keys regularly (KRBTGT reset)
Detection often relies on behavioral analytics rather than signature-based methods.
Strengthening defense with Hexnode UEM and XDR
Hexnode provides unified endpoint management (UEM) and extended detection and response (XDR) capabilities that help mitigate credential-based attacks like PtT.
By enforcing strict endpoint controls and continuous monitoring, IT admins can reduce the attack surface and detect anomalies early.
Key capabilities:
- Enforce device compliance policies to prevent compromised endpoints from accessing resources
- Restrict administrative privileges to limit ticket extraction opportunities
- Monitor endpoint behavior for suspicious authentication patterns
- Automate patch management to eliminate initial access vectors
- Integrate with identity and access management systems for conditional access enforcement
Hexnode’s centralized visibility ensures that unauthorized lateral movement attempts are flagged quickly, enabling faster incident response.
FAQs
How is Pass-the-ticket different from Pass-the-hash?
Pass-the-ticket uses Kerberos tickets, while Pass-the-hash uses NTLM hashes for authentication.
Can Pass-the-ticket attacks be completely prevented?
No, but strong endpoint security and monitoring significantly reduce the risk and impact.