Detecting Pass The Ticket
Status: Scaffold — content in progress
Paired Attack: Pass The Ticket
DRL Level: DRL-3 (rule drafted, lab validation pending)
Detection Confidence: [High / Medium / Low]
Required Telemetry
| Source | Event / Field | Notes |
|---|---|---|
| [Fill in] | [Fill in] | [Fill in] |
Sigma Rule
title: Detecting Pass The Ticket
status: experimental
# Fill in rule
KQL — Microsoft Sentinel
// Fill in KQL query
SPL — Splunk
// Fill in SPL query
False Positive Handling
[Document known benign causes]
Response Actions
[Initial response steps]
Cross-Links
| Topic | Link |
|---|---|
| Attack | pass-the-ticket |
| Detection Framework | detection-framework |