- Pass the ticket works by dumping the TGT from the LSASS memory of the machine. - Local Security Authority Subsystem Service (LSASS) is a memory process that stores credentials on an active directory server and can store Kerberos ticket along with other credential types to act as the gatekeeper and accept or reject the credentials provided. - You can dump the Kerberos tickets from the LSASS memory just like you can dump hashes. - When you dump the tickets with `mimikatz` it will give us a `.kirbi` ticket which can be used to gain domain admin if a domain admin ticket is in the LSASS memory. - dump a domain admin’s ticket > impersonate that ticket using mimikatz PTT attack allowing you to act as that domain admin. # Mitigations - Don’t let your domain admins log onto anything except the domain controller.