DET0352: Detection Strategy for T1550.003 - Pass the Ticket (Windows)
DET0352 is a MITRE detection strategy object for Pass the Ticket on Windows. The business issue is identity trust: an intruder who has a valid Kerberos tic...
Analyst context for executives and security teams
DET0352 is a MITRE detection strategy object for Pass the Ticket on Windows. The business issue is identity trust: an intruder who has a valid Kerberos ticket may move laterally without knowing a user’s password, making password-centric controls and investigations incomplete.
Executive priority
Treat this as an identity and lateral-movement coverage question. Leaders should ask whether the organization can prove when Kerberos-based access between Windows systems is legitimate, whether SOC and IR teams can scope suspected ticket misuse, and whether privileged account activity can be audited well enough to support incident decisions and compliance evidence.
Technical view
The supplied relationship maps this detection strategy to ATT&CK T1550.003, Pass the Ticket, under lateral movement on Windows. Because the official detection text is not provided, defenders should validate coverage around Kerberos-authenticated access, account context, and host-to-host movement rather than assuming a specific analytic exists. SOC teams should correlate domain authentication activity with endpoint logon/session activity and known administrative or service-account behavior.
Likely telemetry
- Windows authentication and logon events involving Kerberos
- Domain controller Kerberos ticket and service access activity
- Endpoint session, remote logon, and host-to-host access records
- Account identity, privilege, and group context for valid accounts
- Administrative account and service-account usage baselines
Detection direction
- Confirm Kerberos and Windows logon telemetry is collected from domain controllers and relevant endpoints with enough retention for lateral-movement investigations.
- Tune for unusual Kerberos-authenticated access patterns by account, source host, destination host, and privilege context.
- Review administrative and service-account behavior carefully to reduce false positives; legitimate remote administration can resemble lateral movement.
- Identify blind spots where endpoint logs, domain controller events, or identity context are missing, because those gaps can prevent confident scoping of suspected Pass the Ticket activity.
Mitigation priorities
- Prioritize identity controls around valid accounts, especially privileged and administrative accounts.
- Limit unnecessary lateral movement paths between Windows systems and review where Kerberos-authenticated access is broadly allowed.
- Ensure incident response playbooks include investigation of stolen or misused Kerberos tickets, not only password compromise.
- Maintain audit-ready evidence for authentication activity, account privilege, and host-to-host access.
Analyst notes and limits
This take is based on the official STIX metadata and the supplied relationship to T1550.003 Pass the Ticket. The object itself has no official description, detection text, tactics, or platform field, so technical guidance is intentionally derived from the related ATT&CK technique context.
MITRE did not provide detection logic, data sources, analytics, or mitigations in the supplied object fields. Local architecture, logging configuration, Active Directory design, and endpoint visibility are required to determine actual coverage.
Detection Strategy for T1550.003 - Pass the Ticket (Windows)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | This object detects Pass the Ticket. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b77148d2b123… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0352Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.