Cloud-based security solution that identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions
1 Data Sources
1 Templates
0 Downloads
Updated 3 days ago
CLI Install (Vendor)
Security-Alerts
1 Templates
🎫 Pass-the-Ticket Attack Detection
Defender for Identity lateral movement alert
Detects pass-the-ticket attacks where attackers steal Kerberos tickets from one machine and use them on another to move laterally through the network. This is a critical indicator of advanced persistent threats and Active Directory compromise.
Frequencyenum.low
JSON
defender
identity
kerberos
lateral-movement
pass-the-ticket
mitre-t1550
critical-alert
Compliance:
NIST Cybersecurity Framework
MITRE ATT&CK Framework
SOC 2
ISO 27001
PCI DSS
Security: Critical
When Generated:
- When stolen Kerberos tickets are detected being used from different machines
- During lateral movement activities in compromised environments
- When attackers attempt to escalate privileges using stolen credentials
- As part of advanced persistent threat (APT) campaigns
Frequency Notes: Very rare in legitimate environments (0.5 events/hour baseline). Higher frequency during off-hours suggests active compromise. Most alerts should be investigated as potential true positives.
CLI Install