Forum Discussion
Invalidating kerberos tickets via XDR?
Since we have alerts every now and then, regarding suspected Pass the Ticket-incidents, I want to know if there's a way to make a user's kerberos ticket invalid? Like we have the "Revoke Session" in Entra ID, is there anything similar that we can do in XDR?
1 Reply
When dealing with suspected Pass-the-Ticket activity, it’s important to understand that Microsoft Defender XDR cannot directly invalidate an active Kerberos ticket.
Kerberos tickets are issued and validated by the Active Directory Domain Controller (KDC). Once a TGT is issued, it remains valid until it expires (default around 10 hours), the user’s password is changed, the account is disabled, the KRBTGT password is rotated (in Golden Ticket scenarios), or the machine holding the ticket is rebooted (which clears the local cache).
Defender XDR is not a Kerberos authority, so it cannot revoke Kerberos tickets the same way Entra ID can revoke OAuth refresh tokens.
What Defender XDR can do is detect Pass-the-Ticket behavior (through Defender for Endpoint and Defender for Identity), correlate lateral movement activity, isolate devices, disable accounts, and support password reset workflows. These are containment and remediation actions, but they do not directly invalidate an already issued ticket.
If a Kerberos ticket compromise is suspected, the effective response is:
- Reset the user’s password (preferably twice to mitigate NTLM hash reuse).
- Disable the account temporarily to prevent new TGT issuance.
- Force logoff or reboot affected endpoints to clear cached tickets.
- In Golden Ticket cases, rotate the KRBTGT password twice in a controlled manner.
The key distinction is that Defender XDR handles detection and response orchestration, while Kerberos ticket lifecycle control remains within Active Directory.
For incident response planning, this separation is important when defining playbooks for PtT scenarios.
