Detailedlikelihood: Lowseverity: HighStable

CAPEC-645Use of Captured Tickets (Pass The Ticket)

Abstraction
Detailed
Status
Stable
Likelihood
Low
Severity
High

Description

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

Related weaknesses· 3

CWE-522CWE-294CWE-308

MITRE ATT&CK crosswalk· 1

T1550.003: Use Alternate Authentication Material:Pass The Ticket

Related attack patterns· 2

CAPEC-652 (ChildOf)CAPEC-151 (CanPrecede)

Exploits3

TypeTargetConfidenceTier
WeaknessInsufficiently Protected Credentialscwe-522100%live
WeaknessUse of Single-factor Authenticationcwe-308100%live
WeaknessAuthentication Bypass by Capture-replaycwe-294100%live

Related to1

TypeTargetConfidenceTier
SubTechniquePass the Tickett1550.003100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Sub-technique
Pass the Ticket
CAPEC
Kerberoasting
CAPEC
Use of Known Kerberos Credentials
CAPEC
Use of Captured Hashes (Pass The Hash)
Sub-technique
Silver Ticket
CAPEC
Authentication Abuse
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.