Techniques
Sample rules
Mimikatz PassTheTicket CommandLine Parameters
- source: splunk
- technicques:
- T1550
- T1550.003
Description
The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `mimikatz_passtheticket_commandline_parameters_filter`