none
What triggers a pass the ticket alert RRS feed

  • Question

  • I'm trying to find out what triggers a pass the ticket alert.   We have a case where a user logged in with another user's credentials on a different computer over vpn at the same time that user was on campus and a pass the ticket alert was triggered.  Is the alert triggered when an exact TGT with the exact hashes and exact sessions are seen on a different computer?  Or is it some other trigger?

    In other words: is this an indication that the other user installed malware to steal the ticket from a user's computer and then use the Kerberos ticket to log into vpn and ATA saw an exact duplicate ticket with the same hashes and sessions?  

    This seems very unlikely because the other user would have had to use the Kerberos ticket to log into VPN, which first communicates with a radius server (no Kerberos ticket used at this point) before it communicates with the DCs.  So the other user probably had a username and password already, and if that were true, why use a stolen Kerberos ticket that will trigger alerts when one could just get a new one when logging in.  it doesn’t seem to make sense for this to be the case.

    Or does ATA see the same username in a different subnet at the same time and assume that the ticket was stolen without verifying that the tickets are exactly the same?  

    Or is there some mechanism built into Kerberos that forwards copies of Kerberos tickets to the same user when that user is seen on a different subnets?   IE the forwardable flag?


     
    Monday, May 1, 2017 8:34 PM

All replies

  • Hello,

    Based on my knowledge, the alert will be triggered, if the same service ticket or TGT is used in a Kerberos AS or TGS request from two different computers.

    To take further investigation, I would recommend to use the tools mentions in ATA playbook, and check the service ticket or TGT in the two computers.


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 5:51 AM
    Moderator
  • I don't have access to the 2nd computer and both were macintoshes.  The very odd part is that VPN uses radius which authenticates with between the client and the radius server without Kerberos, then after that initial authentication takes place of the radius server reaching out to the DC, then the client gains access to the network and then the TGT would be requested.  Why would somebody steal a ticket when they already have a username and password that can grant them tickets on their own without the risk of triggering any alerts.   Something is missing. 
    Friday, May 5, 2017 1:28 PM
  • Hello Josh,

    In my opinion, you can run the following command, which can list the cached tickets on the two computers. From the output, you can verify if the TGTs are identical.

    klist

    On the other hand, you can try to log in another Windows computer with the same domain account via VPN. Then you can check if this will trigger the alert again.

    If possible, would you please share the version info for Mac OS X?

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 8, 2017 9:24 AM
    Moderator
  • Both computers are not available now.  But I will keep this command for troubleshooting in the future.  I did get a computer that has never been logged into our network, connected to it over VPN while a computer on campus was logged in as me.  I was unable to get an alert to trigger, even when I logged into 30 computers from that VPN computer that I have never touched before.  However, I found that this was not a good test as my account has different activity on it than another user's account and much of my normal activity which would normally trigger alerts, appears to be allowed as normal.  I'll have to get a new account and test it from that account.  
    Monday, May 8, 2017 3:27 PM