In the blackhat talk by Gentikwiki on Mimikatz back in 2014, he mentioned that you can pass the service ticket also, but i am unable to replicate it in a lab. It throws an access denied. Passing the TGT works all good.
Trying to troubleshoot the issue, i hit upon this article:
Kerberos tickets: Comprehension and exploitation
When a ST is sent to the machine providing the service, this one compares the timestamps included in the ST (the moment when the ticket was created) with the moment when the ticket was sent and it is directly dismissed if there is difference of more than 2 minutes. Besides, the first ticket sent to the service machine (most of the time it refers to the legitimate user) is cached in the memory and the following tickets are rejected.
Questions:
Does Pass the Ticket works if I pass the Service Ticket?
Was there any patch to fix this issue ?
