eastbaycyber

What Is Pass the Ticket?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Pass the Ticket is a Kerberos attack where an attacker steals a valid Kerberos ticket and reuses it to authenticate as a user or service account without knowing that account’s plaintext password. It is most commonly seen in Windows and Active Directory environments and is a well-known technique for lateral movement after an attacker already has a foothold.

Instead of stealing the password itself, the attacker steals the trusted authentication artifact the system is already using.

Pass the Ticket definition

In a Kerberos-based environment, users do not send their password to every service they access. After initial authentication, the system uses Kerberos tickets as proof that the user has already been verified.

Pass the Ticket abuses that trust model. If an attacker can extract a valid Kerberos ticket from a compromised host, they may be able to use it to access other systems as the victim until the ticket expires or is invalidated.

How Pass the Ticket works

Pass the Ticket is typically a post-compromise technique. It usually happens after the attacker already has code execution or privileged access on a workstation or server.

The attacker compromises a system

The first step is gaining access to a machine where Kerberos tickets are present. That initial compromise may come from:

  • phishing
  • malware execution
  • exploitation of a vulnerable service
  • remote access abuse
  • stolen credentials
  • compromise of an administrator workstation

Once on the system, the attacker starts looking for credential material and active authentication artifacts.

Kerberos tickets are extracted

When a user authenticates to a Windows domain, the system stores Kerberos tickets associated with that session. These can include:

  • TGTs (Ticket Granting Tickets) used to request other tickets
  • service tickets used to access specific services like file shares, remote management, or internal applications

If the attacker has enough access to the host, they may be able to extract those tickets from memory and reuse them.

The stolen ticket is reused

After obtaining a ticket, the attacker injects or presents it in another session. Because the Kerberos ticket is valid and trusted by the domain, the target service may accept it as legitimate authentication.

At that point, the attacker can act as the user tied to the ticket, limited by the scope and privileges of that account.

The attacker moves laterally

With a valid ticket, the attacker may be able to:

  • access file shares
  • connect to internal servers
  • use administrative tools
  • query directory resources
  • pivot between domain-joined systems
  • reach more privileged accounts or services

If the stolen ticket belongs to an administrator or a highly privileged service account, the impact can expand quickly.

Why Pass the Ticket matters

Pass the Ticket matters because it turns normal session trust into attacker access. Many defenders focus heavily on password theft, but in Active Directory environments, stolen tickets can be just as valuable.

This technique is important because it:

  • bypasses the need to know the actual password
  • uses trusted authentication mechanisms already in place
  • can blend into legitimate Kerberos activity
  • supports post-compromise lateral movement
  • becomes especially dangerous when privileged sessions exist on lower-trust systems

For teams working on broader identity security, our guide to what is zero trust explains the architectural goal of reducing implicit trust and limiting the blast radius of compromised identities.

Pass the Ticket vs. Pass the Hash

These two attacks are related, but they are not the same.

Pass the Ticket

Pass the Ticket reuses stolen Kerberos tickets for authentication.

Pass the Hash

Pass the Hash reuses stolen NTLM password hashes for authentication.

Both are credential abuse techniques, but Pass the Ticket is specifically tied to Kerberos environments and ticket reuse.

When you’ll encounter Pass the Ticket

You will usually encounter Pass the Ticket in organizations that rely heavily on Active Directory and Kerberos authentication.

Incident response in Windows domains

Pass the Ticket often appears during breach investigations when responders are tracing how an attacker moved from one host to another. If legitimate-looking Kerberos activity is tied to compromised systems, this technique becomes a likely possibility.

Privileged access reviews

Security teams often encounter Pass the Ticket when reviewing where administrators log in and how privileged sessions are exposed. For example, if a domain admin signs into a standard workstation, a compromise of that machine may expose highly valuable Kerberos tickets.

Threat hunting and detection engineering

Detection teams look for unusual Kerberos behavior, such as:

  • ticket use from unexpected hosts
  • abnormal service access patterns
  • suspicious logon sequences
  • authentication activity inconsistent with a user’s role

Active Directory hardening projects

Pass the Ticket commonly comes up during domain security improvement efforts, including:

  • tiered administration
  • privileged access isolation
  • limiting privileged logons
  • protecting credentials in memory
  • reducing service account exposure
  • reviewing ticket lifetimes and session hygiene

For the monitoring and response side of catching this kind of activity, see what is mdr.

Red team assessments

Because it is realistic and high impact, Pass the Ticket is a common technique tested during red team, purple team, and adversary simulation exercises.

How to reduce Pass the Ticket risk

There is no single control that eliminates Pass the Ticket entirely, but several practices reduce the risk significantly.

Limit privileged logons

Do not allow highly privileged accounts to sign into ordinary workstations unless absolutely necessary. The more places privileged sessions exist, the more opportunities attackers have to steal tickets.

Protect credential material

Use operating system and enterprise controls that reduce exposure of credential material in memory and restrict how sensitive sessions are handled.

Segment administration

Separate admin work from standard user activity. Dedicated administrative workstations and tiered access models help reduce the chance that one compromised endpoint exposes high-value tickets.

Monitor Kerberos activity

Watch for unusual ticket use, access from unexpected systems, and service patterns that do not match normal user behavior.

Improve endpoint security

A strong endpoint security baseline helps reduce the chance that an attacker gets local access in the first place. For individual systems and small teams, tools like Get Malwarebytes → can support malware detection and endpoint protection as part of a broader defense strategy.

Strengthen account hygiene

Strong passwords, MFA where applicable, and secure credential storage help reduce the initial compromise paths that lead to ticket theft. For users managing many credentials, Try 1Password → can help support better password hygiene, though it does not directly prevent Kerberos ticket theft after a host is compromised.

Final takeaway

Pass the Ticket is the reuse of a stolen valid Kerberos ticket to access systems as another user. It is a practical and dangerous post-compromise technique because the attacker does not need the victim’s password if they can steal the authentication artifact the environment already trusts.

If you run a Windows domain, Pass the Ticket is a technique worth understanding in incident response, Active Directory hardening, privileged access design, and threat detection.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.