Pass-the-Ticket Attack Detection | LogForge Templates Registry

defender identity kerberos lateral-movement pass-the-ticket mitre-t1550 critical-alert

📄 JSON Format

📊 24 Fields

✨ Generator

⏱️ Low Frequency

Overview

Detects pass-the-ticket attacks where attackers steal Kerberos tickets from one machine and use them on another to move laterally through the network. This is a critical indicator of advanced persistent threats and Active Directory compromise.

When Generated:

When stolen Kerberos tickets are detected being used from different machines
During lateral movement activities in compromised environments
When attackers attempt to escalate privileges using stolen credentials
As part of advanced persistent threat (APT) campaigns

Security Relevance: Critical

Compliance: NIST Cybersecurity Framework MITRE ATT&CK Framework SOC 2 ISO 27001 PCI DSS

Frequency Notes: Very rare in legitimate environments (0.5 events/hour baseline). Higher frequency during off-hours suggests active compromise. Most alerts should be investigated as potential true positives.

Resources

Documentation

Microsoft Defender for Identity Documentation official
Pass-the-Ticket Attack Detection official
MITRE ATT&CK T1550.003: Pass the Ticket reference

Tools

Microsoft 365 Defender Portal - Unified security portal for investigating and responding to Defender for Identity alerts
Microsoft Defender for Identity Portal - Dedicated portal for Defender for Identity management and investigation
Azure Active Directory Identity Protection - Complementary identity security service for user risk assessment

Generation Configuration

Base Frequency: 0.5 events/hour

Time Patterns: business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 0.8x

Details

pass_the_ticket

Event Type

Fields

Low

Frequency

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example Value	Possible Values
alertId Source: 'a' + random_guid()	String	Required	`a{UUID}`	Unique identifier for the alert with 'a' prefix	`aa1b2c3d4-e5f6-7890-abcd-ef1234567890`	—
providerAlertId Source: random_guid()	String	Required	`UUID`	Provider-specific alert identifier (typically same as alertId without prefix)	`a1b2c3d4-e5f6-7890-abcd-ef1234567890`	—
incidentId Source: random_int(100, 9999)	Integer	Required	—	Incident number for tracking and correlation	`1234`	—
serviceSource Source: Fixed value	String	Required	—	Microsoft service that generated the alert	`MicrosoftDefenderForIdentity`	—
creationTime Source: current_timestamp()	DateTime	Required	`ISO 8601 with milliseconds`	UTC timestamp when the alert was created	`2024-01-15T14:30:25.123Z`	—
lastUpdatedTime Source: creationTime + random hours	DateTime	Required	`ISO 8601 with milliseconds`	UTC timestamp when the alert was last updated	`2024-01-15T15:45:30.456Z`	—
resolvedTime Source: lastUpdatedTime - random minutes	DateTime	Optional	`ISO 8601 with milliseconds`	UTC timestamp when the alert was resolved (if resolved)	`2024-01-15T16:15:45.789Z`	—
firstActivity Source: creationTime - random hours	DateTime	Required	`ISO 8601 with milliseconds`	UTC timestamp of the first suspicious activity	`2024-01-15T12:15:30.123Z`	—
lastActivity Source: firstActivity + random minutes	DateTime	Required	`ISO 8601 with milliseconds`	UTC timestamp of the last suspicious activity	`2024-01-15T12:45:30.456Z`	—
title Source: Fixed descriptive title	String	Required	—	Human-readable alert title	`Suspected identity theft (pass-the-ticket)`	—
description Source: Dynamic description with user, devices, and resource count	String	Required	—	Detailed description of the detected activity	`An actor took John Doe (Manager)'s Kerberos ticket from WORKSTATION01 and used it on SERVER02 to access 3 resources.`	—
category Source: Fixed value for pass-the-ticket attacks	String	Required	—	MITRE ATT&CK tactic category	`LateralMovement`	`LateralMovement` - MITRE ATT&CK Lateral Movement tactic
status Source: Random from predefined statuses	String	Required	—	Current status of the alert investigation	`Resolved`	`New` - Newly created alert awaiting investigation `InProgress` - Alert currently under investigation `Resolved` - Alert investigation completed
severity Source: Random from severity levels	String	Required	—	Severity level of the security alert	`High`	`Low` - Low severity security event `Medium` - Medium severity security event `High` - High severity security event `Critical` - Critical security event requiring immediate attention
investigationId Source: Fixed null value	String	Optional	—	Investigation tracking identifier (often null for unsupported alert types)	`null`	—
investigationState Source: Fixed value indicating manual investigation required	String	Required	—	State of the automated investigation	`UnsupportedAlertType`	—
classification Source: Random from classification options	String	Required	—	Alert classification after investigation	`TruePositive`	`Unknown` - Classification not yet determined `FalsePositive` - Alert determined to be benign `TruePositive` - Alert confirmed as malicious activity `BenignPositive` - Alert is accurate but represents benign activity
determination Source: Random from determination options	String	Required	—	Specific determination of the alert cause	`SecurityTesting`	`NotAvailable` - Determination not available `Apt` - Advanced Persistent Threat activity `Malware` - Malware-related activity `SecurityPersonnel` - Authorized security personnel activity `SecurityTesting` - Authorized security testing `UnwantedSoftware` - Unwanted but not malicious software `Other` - Other determination
detectionSource Source: Fixed legacy identifier for Defender for Identity	String	Required	—	Source system that detected the threat	`AzureATP`	—
detectorId Source: Fixed detector identifier	String	Required	—	Specific detector that triggered the alert	`PassTheTicketSecurityAlert`	—
assignedTo Source: Random user email from registry	String	Optional	`Email`	Email address of the assigned investigator	`security.analyst@contoso.com`	—
mitreTechniques Source: Fixed array for pass-the-ticket techniques	Array	Required	—	MITRE ATT&CK technique identifiers	`["T1550", "T1550.003"]`	—
devices Source: Array of 3 devices with detailed metadata	Array	Required	—	Array of device objects involved in the alert	`[{"mdatpDeviceId": "abc123", "deviceDnsName": "server01.contoso.com"}]`	—
entities Source: Array containing krbtgt account, target user, and source IP	Array	Required	—	Array of security entities involved in the alert (users, IPs, etc.)	`[{"entityType": "User", "accountName": "jdoe", "verdict": "Suspicious"}]`	—