The pass-the-ticket attack uses an intercepted or dumped Kerberos service ticket to authenticate against a service.
Requirements
- Admin privileges/credentials
- Dumping a service ticket does not require admin privilege. However, dumping a TGT does.
- Connection to SMB Admin$ share
The attacker can reuse the ticket elsewhere if possible, or crack the password (Kerberoasting) and use kerberos::golden
to create a silver ticket for lateral movement & privilege escalation on the remote machine.
Example
Example with Cobalt Strike beacon & Rubeus: