What Is Pass-the-Ticket (PtT)?

Updated on September 17, 2025

Pass-the-Ticket (PtT) represents one of the most sophisticated post-exploitation attack techniques in modern cybersecurity. This method allows attackers to authenticate to network services using stolen Kerberos tickets rather than traditional credentials like passwords or password hashes. By exploiting the Kerberos protocol’s ticket-based authentication system, adversaries can bypass standard login processes entirely and achieve lateral movement across enterprise networks without triggering conventional security alerts.

Understanding PtT attacks is critical for cybersecurity professionals because these techniques operate at the protocol level, making them particularly dangerous and difficult to detect. Unlike password-based attacks, PtT leverages legitimate authentication mechanisms, which means the malicious activity appears as normal network traffic to many security monitoring tools.

This technique has become increasingly prevalent in advanced persistent threat (APT) campaigns and targeted attacks against enterprise environments. The attack’s effectiveness stems from its ability to impersonate legitimate users while leaving minimal forensic evidence, making incident response and attribution significantly more challenging.

Definition and Core Concepts

Pass-the-Ticket attacks exploit the fundamental design of the Kerberos authentication protocol. When an attacker compromises a host system, they extract valid Kerberos tickets from the system’s memory and use these tickets to authenticate to other network services as if they were the legitimate ticket owner.

The attack leverages several key Kerberos components that security professionals must understand:

• Kerberos Ticket: A cryptographic data structure issued by the Key Distribution Center (KDC) that serves as proof of authentication. These tickets contain encrypted session keys and user authorization data that network services use to verify identity and permissions.
• Ticket-Granting Ticket (TGT): The master authentication ticket that allows clients to request service tickets for various network resources without re-entering credentials. TGTs are particularly valuable to attackers because they provide broad access to domain resources.
• Service Ticket: Specific tickets issued by the KDC that grant access to individual network services or resources. Each service ticket is tied to a particular service principal name (SPN) and contains the necessary authorization data for that specific resource.
• Lateral Movement: The technique of moving from one compromised system to additional systems within the same network environment. PtT serves as a primary method for achieving this movement without additional credential theft.

The critical distinction between PtT and Pass-the-Hash (PtH) attacks lies in the authentication mechanism. While PtH requires password hashes that must be processed through authentication protocols, PtT uses complete, valid tickets that can be directly presented to target services. This makes PtT more efficient and harder to detect since it doesn’t involve the cryptographic operations typically associated with hash-based authentication.

How It Works

The PtT attack methodology follows a predictable sequence that security teams can monitor and detect with proper tooling and procedures.

Initial Compromise and Credential Dumping

The attack begins when an adversary establishes a foothold on a target system through methods such as phishing, vulnerability exploitation, or social engineering. Once system access is achieved, the attacker deploys credential dumping tools like Mimikatz, Rubeus, or custom scripts to extract authentication materials from system memory.

These tools target the Local Security Authority Subsystem Service (LSASS) process, which stores active Kerberos tickets in memory for currently logged-in users. The extraction process requires elevated privileges, typically achieved through privilege escalation techniques or by compromising accounts with administrative access.

Ticket Acquisition

During the dumping process, attackers prioritize high-value tickets, particularly TGTs belonging to privileged accounts such as domain administrators, service accounts, or users with elevated permissions. The value of extracted tickets depends on the permissions associated with the account and the remaining ticket lifetime.

Service tickets for specific resources may also be extracted, though these provide more limited access compared to TGTs. The attacker evaluates each ticket’s validity period and associated permissions to determine the most effective approach for lateral movement.

Ticket Injection

The stolen tickets must be injected into the attacker’s authentication context to be usable. This process involves importing the ticket data into the attacker’s local security context, effectively convincing the operating system that the attacker’s session now possesses the legitimate user’s authentication credentials.

Tools like Mimikatz provide ticket injection capabilities that seamlessly integrate stolen tickets into the current logon session. This step is crucial because it establishes the authentication context necessary for the subsequent access attempts.

Lateral Movement

With the stolen ticket active in their session, the attacker can now access network resources as if they were the legitimate user. Standard Windows networking commands such as net use, dir, or PowerShell cmdlets will automatically present the injected ticket when accessing remote resources.

This stage represents the actual “pass-the-ticket” operation, where the stolen authentication material is passed to target services. The beauty of this technique from an attacker’s perspective is that it uses legitimate Windows networking functionality, making the activity appear normal to many monitoring systems.

Access and Escalation

Target services validate the presented ticket with the domain controller and grant access based on the ticket’s embedded authorization data. Once access is established, the attacker can perform various malicious activities including data exfiltration, additional system compromise, or further credential harvesting.

The success of this stage depends on the permissions associated with the compromised account and the security controls implemented on target systems. Attackers often use this access to establish persistence mechanisms or compromise additional high-value accounts.

Mitigation and Security Implications

PtT attacks present significant challenges for enterprise security because they exploit legitimate authentication mechanisms rather than relying on obvious malicious behavior. Effective defense requires a multi-layered approach that addresses both prevention and detection.

Multi-Factor Authentication (MFA)

While MFA significantly strengthens initial authentication security, it provides limited protection against PtT attacks once a user session is established. MFA prevents unauthorized initial access, but it cannot prevent ticket theft from an already compromised system where the user has successfully authenticated.

However, implementing MFA for privileged accounts and sensitive resources creates additional barriers that force attackers to compromise multiple authentication factors. This increases the complexity and visibility of attack operations.

Restricted Admin Mode and Credential Guard

Modern Windows systems include several features specifically designed to combat credential theft attacks. Credential Guard uses virtualization-based security to isolate sensitive authentication data, making it significantly more difficult for attackers to extract Kerberos tickets from memory.

Restricted Admin Mode prevents administrators from leaving reusable credentials on remote systems during administrative sessions. This reduces the attack surface by limiting the availability of high-privilege tickets on workstation systems.

Principle of Least Privilege

Implementing strict privilege management reduces the impact of successful PtT attacks by limiting the resources accessible with compromised tickets. Organizations should regularly audit and minimize administrative privileges, ensuring that users have only the minimum permissions necessary for their job functions.

Service accounts represent a particular risk because they often have broad permissions and long-lived tickets. These accounts should be carefully managed with strong passwords, limited privileges, and regular credential rotation.

Network Segmentation

Proper network segmentation limits lateral movement by restricting the systems that compromised accounts can access. Implementing network access controls based on user identity, device identity, and network location can contain PtT attacks even when tickets are successfully stolen.

Zero-trust network architectures provide additional protection by requiring continuous verification of access requests, even from authenticated users.

Endpoint Detection and Response (EDR)

EDR solutions can detect the tools and techniques associated with PtT attacks, including credential dumping activities, unusual authentication patterns, and suspicious lateral movement behaviors. Advanced EDR platforms use behavioral analysis to identify attack patterns that may not trigger traditional signature-based detection.

Monitoring for LSASS process access, unusual ticket requests, and abnormal network authentication patterns can provide early warning of PtT attack activity.

Monitor TGT Lifetime

Reducing the maximum lifetime of Kerberos tickets limits the window of opportunity for attackers to use stolen credentials. While this may impact user experience by requiring more frequent re-authentication, it significantly reduces the persistence of stolen tickets.

Organizations should balance security requirements with operational needs when configuring ticket lifetimes, considering factors such as user workflow patterns and network connectivity requirements.