CrowdStrike Alert Details
Alert ID: CS-PASS-TICKET-1550-7842 Alert Time: 2024-03-12 14:15:33 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “Kerberos Ticket Replay – Potential Pass-the-Ticket” MITRE ATT&CK: T1550.003 – Use Alternate Authentication Material: Pass the Ticket
Alert Details:
Detection: Kerberos ticket from unusual source IP used for authentication
Event Details:
User: kwilson@company.com (Karen Wilson, Finance Manager)
Source IP: 192.168.45.78 (ENG-WS-045 – Engineering)
Destination: 192.168.10.10 (DC-01 – Domain Controller)
Ticket Type: TGT (Ticket Granting Ticket)
Ticket Issued: 14:00 EST (legitimate from Finance workstation)
Ticket Used: 14:10 EST (from Engineering workstation)
Time: 14:10 EST
Detection Logic:
Ticket originally issued to Finance workstation (192.168.45.112)
Same ticket used from Engineering workstation (impossible travel)
Ticket replay detected (Pass-the-Ticket)
Source host ENG-WS-045 is compromised
Additional Context:
Attacker stole ticket from Finance workstation
Using ticket to impersonate kwilson and access resources
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Pass-the-Ticket attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike
Host has Cobalt Strike beacon
3. Ticket Source Investigation
Check FIN-WS-112
CrowdStrike
Host also compromised (Mimikatz)
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. Ticket Revocation
Force krbtgt password reset
AD
krbtgt reset (twice) to invalidate all tickets
6. Account Remediation
Reset kwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-207 Summary: T1550.003 – Pass-the-Ticket Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Tickets Invalidated Priority: P1 – CRITICAL Labels: T1550, pass-the-ticket, kerberos, crowdstrike, lateral-movement Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Kerberos Ticket Replay – Potential Pass-the-Ticket”.
User: kwilson@company.com (Finance Manager).
Original Ticket Location: FIN-WS-112 (Finance).
Ticket Usage Location: ENG-WS-045 (Engineering).
Time: 2024-03-12 14:15 EST.
Technique: MITRE ATT&CK T1550.003 – Use Alternate Authentication Material: Pass the Ticket.
2. Technical Analysis:
Attack Chain:
13:00 – kwilson account compromised (phishing)
13:15 – Attacker logs into FIN-WS-112
13:20 – Attacker uses Mimikatz to extract Kerberos tickets
13:30 – Attacker transfers tickets to ENG-WS-045 (already compromised)
14:00 – Legitimate TGT issued to kwilson (unknowingly)
14:05 – Attacker injects ticket into session on ENG-WS-045
14:10 – Attacker accesses resources as kwilson from engineering host
14:15 – CrowdStrike detects
Pass-the-Ticket Technique:
Attacker extracts TGT from compromised host memory
Injects TGT into another session
Can impersonate user without password or hash
Bypasses MFA (ticket already includes MFA claim)
Attacker Actions Using Ticket:
Accessed \filesrv\finance (file server)
Accessed SQL-SRV-01 (database server)
Attempted to access DC-01 (blocked by policy)
No data exfiltration
Compromised Hosts:
FIN-WS-112 (ticket source)
ENG-WS-045 (ticket usage)
3. Investigation Findings:
Timeline:
13:00 – kwilson account compromised
13:15 – Attacker on FIN-WS-112
13:20-13:30 – Ticket extraction and transfer
14:00 – Legitimate TGT issued
14:05-14:10 – Ticket injection and usage
14:15 – Alert
14:17 – SOC investigates
14:18 – Both hosts isolated
14:20 – krbtgt reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\tickets.kirbi (deleted)
Hosts:
– FIN-WS-112 (compromised)
– ENG-WS-045 (compromised)
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated both hosts.
Reset kwilson password.
Reset krbtgt password (twice) to invalidate all tickets.
Forced all users to re-authenticate.
Host Remediation:
Reimaged both hosts.
Enterprise-wide Actions:
All users forced to log out and back in.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to ticket theft.
Contributing Factors:
No MFA on account.
Tickets stored in memory (normal).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Two hosts offline; all users forced to re-authenticate.
Data Exposure: No data stolen.
7. Remediation & Prevention:
Completed Actions:
Tickets invalidated.
Hosts cleaned.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented Credential Guard.
Enhanced monitoring for ticket anomalies.
8. Conclusion:
An attacker used Pass-the-Ticket to impersonate a finance manager, moving laterally from a compromised finance host to an engineering host. CrowdStrike detected the ticket replay and enabled rapid invalidation via krbtgt reset.
Closure Rationale: Tickets invalidated; hosts cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 15:30 EST