Pass the Ticket missed detection RRS feed

  • Question

  • We've gotten these alerts before so I know they fire sometimes.   Today we ran a red team exercise and did NOT get an alert.

    I see both the original KerberosTgs request for the user (from computer A) and the KerberosAp request  (using the stolen TGT from computer B) in the ATA logs so I think the necessary inputs are there.    However, it has been four hours now since the usage and no detection.

    Can anyone give me some tips for drilling deeper?

    Friday, October 18, 2019 9:35 PM

All replies

  • What do you mean by "in the ATA logs" ? where did you look exactly ?

    Also, in the Center log, from around the time of the attack, are you able to see logs that contain "Ignored because " or "PassTheTicketDetector" with the relevant IP addresses mentioned?

    Friday, October 18, 2019 11:01 PM
  • Apologies for the ambiguity.  I looked in the Activities tab in ATA to see the initial login and subsequent (cross-computer) resource accesses.

    See image below for the entries.   I see a lot of "Debug [PassTheTicketDetector] Ignored because" entries in the Microsoft.Tri.Center.log file but none for these IPs.  In fact,  I don't see any PTT log entries for ANY IPs in this /24 network.  

    • Edited by hukel Saturday, October 19, 2019 12:32 PM
    Saturday, October 19, 2019 12:28 PM
  • How did you conclude those events used the same ticket?
    Saturday, October 19, 2019 1:58 PM
  • We conducted the "attack" ourselves.
    Saturday, October 19, 2019 3:12 PM
  • Can you write in detail exactly how the attack was conducted?
    Saturday, October 19, 2019 9:52 PM
  • On computer A:

    Rubeus.exe dump

    On computer B:

    Rubeus.exe asktgs  /ptt /service:%SPN%  /ticket:%b64%

    • Edited by hukel Monday, October 21, 2019 3:48 PM clarified command
    Monday, October 21, 2019 12:44 PM
  • Any other information I can provide?  Have you been able to reproduce the issue?
    Tuesday, October 22, 2019 11:56 AM
  • Hi,

    I engaged resource to try to repro it with this specific tool, the team is OOF this week due to public holiday, I will update once I have news.

    Tuesday, October 22, 2019 2:22 PM
  • Any word on the testing?
    Tuesday, October 29, 2019 6:46 PM
  • Research managed to repro the problem, and now researching methods to work around it, but it will take time.

    We are now collecting telemetry around this issue to decide on the best approach to handle it.

    Tuesday, October 29, 2019 9:52 PM