DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows)

Item	Value
ID	DET0352
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1550.003 (Pass the Ticket)

Analytics

Windows

AN1000

Detects unauthorized Kerberos ticket injection by correlating service ticket (TGS - 4769) requests with absent corresponding account logons (4624) and prior Ticket Granting Ticket (TGT - 4768) activity. Highlights anomalous service ticket generation chains involving unexpected users, hosts, or times, and suspicious injection of tickets via mimikatz-like tooling into LSASS memory. Behavior also includes network lateral movement using Kerberos authentication absent expected interactive logon patterns.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	WinEventLog:Security	EventCode=4769
Active Directory Credential Request (DC0084)	WinEventLog:Security	EventCode=4768
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Defines the correlation window between TGT request (4768) and TGS request (4769)
HostContextScope	Adjusts the host scoping for correlation of authentication chains and ticket injection
LSASSAccessAnomalyThreshold	Allows tuning of alerts for ticket injection attempts via LSASS memory access