Pass-the-Ticket Attack Detection
Defender for Identity lateral movement alert
Microsoft Defender for Identity alert for pass-the-ticket attacks indicating lateral movement through stolen Kerberos tickets
defender
identity
kerberos
lateral-movement
pass-the-ticket
mitre-t1550
critical-alert
JSON Format
24 Fields
Low Frequency
Generator
Overview
Detects pass-the-ticket attacks where attackers steal Kerberos tickets from one machine and use them on another to move laterally through the network. This is a critical indicator of advanced persistent threats and Active Directory compromise.
When Generated:
- When stolen Kerberos tickets are detected being used from different machines
- During lateral movement activities in compromised environments
- When attackers attempt to escalate privileges using stolen credentials
- As part of advanced persistent threat (APT) campaigns
Security Relevance:
CriticalCompliance:
NIST Cybersecurity Framework
MITRE ATT&CK Framework
SOC 2
ISO 27001
PCI DSS
Frequency Notes:
Very rare in legitimate environments (0.5 events/hour baseline). Higher frequency during off-hours suggests active compromise. Most alerts should be investigated as potential true positives.
Resources
Documentation
- Microsoft Defender for Identity Documentation official
- Pass-the-Ticket Attack Detection official
- MITRE ATT&CK T1550.003: Pass the Ticket reference
Tools
-
Microsoft 365 Defender Portal
Unified security portal for investigating and responding to Defender for Identity alerts
-
Microsoft Defender for Identity Portal
Dedicated portal for Defender for Identity management and investigation
-
Azure Active Directory Identity Protection
Complementary identity security service for user risk assessment
Generation Configuration
Base Frequency: 0.5 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 1.5x
Night Hours Multiplier: 2.0x
Weekend Multiplier: 0.8x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
alertId
Source: 'a' + random_guid()
|
String | Required |
a{UUID}
|
Unique identifier for the alert with 'a' prefix |
aa1b2c3d4-e5f6-7890-abcd-ef1234567890
|
— |
|
providerAlertId
Source: random_guid()
|
String | Required |
UUID
|
Provider-specific alert identifier (typically same as alertId without prefix) |
a1b2c3d4-e5f6-7890-abcd-ef1234567890
|
— |
|
incidentId
Source: random_int(100, 9999)
|
Integer | Required | — | Incident number for tracking and correlation |
1234
|
— |
|
serviceSource
Source: Fixed value
|
String | Required | — | Microsoft service that generated the alert |
MicrosoftDefenderForIdentity
|
— |
|
creationTime
Source: current_timestamp()
|
DateTime | Required |
ISO 8601 with milliseconds
|
UTC timestamp when the alert was created |
2024-01-15T14:30:25.123Z
|
— |
|
lastUpdatedTime
Source: creationTime + random hours
|
DateTime | Required |
ISO 8601 with milliseconds
|
UTC timestamp when the alert was last updated |
2024-01-15T15:45:30.456Z
|
— |
|
resolvedTime
Source: lastUpdatedTime - random minutes
|
DateTime | Optional |
ISO 8601 with milliseconds
|
UTC timestamp when the alert was resolved (if resolved) |
2024-01-15T16:15:45.789Z
|
— |
|
firstActivity
Source: creationTime - random hours
|
DateTime | Required |
ISO 8601 with milliseconds
|
UTC timestamp of the first suspicious activity |
2024-01-15T12:15:30.123Z
|
— |
|
lastActivity
Source: firstActivity + random minutes
|
DateTime | Required |
ISO 8601 with milliseconds
|
UTC timestamp of the last suspicious activity |
2024-01-15T12:45:30.456Z
|
— |
|
title
Source: Fixed descriptive title
|
String | Required | — | Human-readable alert title |
Suspected identity theft (pass-the-ticket)
|
— |
|
description
Source: Dynamic description with user, devices, and resource count
|
String | Required | — | Detailed description of the detected activity |
An actor took John Doe (Manager)'s Kerberos ticket from WORKSTATION01 and used it on SERVER02 to access 3 resources.
|
— |
|
category
Source: Fixed value for pass-the-ticket attacks
|
String | Required | — | MITRE ATT&CK tactic category |
LateralMovement
|
LateralMovement
— MITRE ATT&CK Lateral Movement tactic
|
|
status
Source: Random from predefined statuses
|
String | Required | — | Current status of the alert investigation |
Resolved
|
New
— Newly created alert awaiting investigation
InProgress
— Alert currently under investigation
Resolved
— Alert investigation completed
|
|
severity
Source: Random from severity levels
|
String | Required | — | Severity level of the security alert |
High
|
Low
— Low severity security event
Medium
— Medium severity security event
High
— High severity security event
Critical
— Critical security event requiring immediate attention
|
|
investigationId
Source: Fixed null value
|
String | Optional | — | Investigation tracking identifier (often null for unsupported alert types) |
null
|
— |
|
investigationState
Source: Fixed value indicating manual investigation required
|
String | Required | — | State of the automated investigation |
UnsupportedAlertType
|
— |
|
classification
Source: Random from classification options
|
String | Required | — | Alert classification after investigation |
TruePositive
|
Unknown
— Classification not yet determined
FalsePositive
— Alert determined to be benign
TruePositive
— Alert confirmed as malicious activity
BenignPositive
— Alert is accurate but represents benign activity
|
|
determination
Source: Random from determination options
|
String | Required | — | Specific determination of the alert cause |
SecurityTesting
|
NotAvailable
— Determination not available
Apt
— Advanced Persistent Threat activity
Malware
— Malware-related activity
SecurityPersonnel
— Authorized security personnel activity
SecurityTesting
— Authorized security testing
UnwantedSoftware
— Unwanted but not malicious software
Other
— Other determination
|
|
detectionSource
Source: Fixed legacy identifier for Defender for Identity
|
String | Required | — | Source system that detected the threat |
AzureATP
|
— |
|
detectorId
Source: Fixed detector identifier
|
String | Required | — | Specific detector that triggered the alert |
PassTheTicketSecurityAlert
|
— |
|
assignedTo
Source: Random user email from registry
|
String | Optional |
Email
|
Email address of the assigned investigator |
security.analyst@contoso.com
|
— |
|
mitreTechniques
Source: Fixed array for pass-the-ticket techniques
|
Array | Required | — | MITRE ATT&CK technique identifiers |
["T1550", "T1550.003"]
|
— |
|
devices
Source: Array of 3 devices with detailed metadata
|
Array | Required | — | Array of device objects involved in the alert |
[{"mdatpDeviceId": "abc123", "deviceDnsName": "server01.contoso.com"}]
|
— |
|
entities
Source: Array containing krbtgt account, target user, and source IP
|
Array | Required | — | Array of security entities involved in the alert (users, IPs, etc.) |
[{"entityType": "User", "accountName": "jdoe", "verdict": "Suspicious"}]
|
— |
Details
24
Fields
Low
Frequency
7
Tags
pass_the_ticket
Event Type
Tags:
defender
identity
kerberos
lateral-movement
pass-the-ticket
mitre-t1550
critical-alert
Feedback
No ratings yet