Possible TGT reuse from different hosts (pass the ticket)

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Use Alternate Authentication Material: Pass the Ticket (T1550.003)

Severity

Informational

Description

We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.

Attacker's Goals

Lateral movement using stolen user-account credentials.

Investigative actions

Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.

Variations

TGT reuse from different hosts (pass the ticket)

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Use Alternate Authentication Material: Pass the Ticket (T1550.003)

Severity

Low

Description

We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.

Attacker's Goals

Lateral movement using stolen user-account credentials.

Investigative actions

Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.