T1550.003Lateral Movement

Pass the Ticket

Inject a stolen or forged Kerberos ticket into the current session for impersonation.

§ Where this technique fits

T1550.003 is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 9 approved dossiers in the registry, typically at step 4.4 on average.

Authoritative reference: attack.mitre.org/techniques/T1550/003/.

§ Dossiers chaining this technique

Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
step 3 / 5
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
step 4 / 6
JWT RS256 → HS256 algorithm confusion → admin
Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.
step 4 / 6
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
step 4 / 6
ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
step 4 / 5
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
step 4 / 5
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
step 5 / 6
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
step 6 / 7
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
step 6 / 7

§ What commonly comes next

01
DCSync
T1003.006 · Credential Access
seen 4×
02
UnPAC-the-Hash
AD-UNPAC · Credential Access
seen 2×
03
Broken Function Level Authorization (API BFLA)
W-BFLA · Privilege Escalation
seen 1×
04
SMB/Windows Admin Shares
T1021.002 · Lateral Movement
seen 1×
05
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Shadow Credentials → PKINIT → NT hash

Citrix Bleed → steal authenticated session → MFA bypass

JWT RS256 → HS256 algorithm confusion → admin

ADCS ESC11 → certificate via RPC (no web enrollment)

ADCS ESC1 → Domain Admin

MachineAccountQuota abuse → RBCD takeover of a server

PetitPotam + ADCS ESC8 → Domain Controller takeover

mitm6 IPv6 SLAAC → NTLM relay → DA

Unconstrained delegation → Capture DC TGT → DCSync

§ What commonly comes next