{ "id": "293d77ce-f650-47bf-a921-bbd04efe424e", "created_at": "2026-04-06T00:17:05.405401Z", "updated_at": "2026-04-10T03:36:13.782821Z", "deleted_at": null, "sha1_hash": "5daef50a1fd0f32e3a11a3ecd0e7c1d4770f7fad", "title": "CAPEC-645: Use of Captured Tickets (Pass The Ticket) (Version 3.9)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42767, "plain_text": "CAPEC-645: Use of Captured Tickets (Pass The Ticket) (Version\r\n3.9)\r\nArchived: 2026-04-05 18:04:26 UTC\r\n Description\r\nAn adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication\r\nprotocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant\r\naccess to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g.\r\nService Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource\r\nwithout needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a\r\nparticular resource or generate TGTs for any account within an Active Directory Domain.\r\n Likelihood Of Attack\r\n Typical Severity\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and\r\nlower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to\r\nshow similar attack patterns that the user may want to explore.\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\n Prerequisites\r\nThe adversary needs physical access to the victim system.\r\nThe use of a third-party credential harvesting tool.\r\n Skills Required\r\n[Level: Low]\r\nDetermine if Kerberos authentication is used on the server.\r\n[Level: High]\r\nThe adversary uses a third-party tool to obtain the necessary tickets to execute the attack.\r\nhttps://capec.mitre.org/data/definitions/645.html\r\nPage 1 of 3\n\nConsequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies\r\nthe security property that is violated, while the Impact describes the negative technical impact that arises if an\r\nadversary succeeds in their attack. The Likelihood provides information about how likely the specific\r\nconsequence is expected to be seen relative to the other consequences in the list. For example, there may be high\r\nlikelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to\r\nachieve a different impact.\r\nScope Impact Likelihood\r\nIntegrity Gain Privileges\r\n Mitigations\r\nReset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets\r\nand any tickets derived from them.\r\nMonitor system and domain logs for abnormal access.\r\n Example Instances\r\nBronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs)\r\nand Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has\r\nrelevant ATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as\r\npart of the mapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1550.003 Use Alternate Authentication Material:Pass The Ticket\r\n References\r\n Content History\r\nSubmissions\r\nhttps://capec.mitre.org/data/definitions/645.html\r\nPage 2 of 3\n\nSubmission\r\nDate\r\nSubmitter Organization\r\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team\r\nModifications\r\nModification\r\nDate\r\nModifier Organization\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description, Example_Instances, References, Related_Attack_Patterns,\r\nRelated_Weaknesses, Taxonomy_Mappings\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/645.html\r\nhttps://capec.mitre.org/data/definitions/645.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://capec.mitre.org/data/definitions/645.html" ], "report_names": [ "645.html" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5daef50a1fd0f32e3a11a3ecd0e7c1d4770f7fad.pdf", "text": "https://archive.orkl.eu/5daef50a1fd0f32e3a11a3ecd0e7c1d4770f7fad.txt", "img": "https://archive.orkl.eu/5daef50a1fd0f32e3a11a3ecd0e7c1d4770f7fad.jpg" } }