“Pass the key” attacks rely on the fact that Kerberos TGTs are granted based on an encrypted timestamp, so if we can get access to these objects we can request TGTs as the corresponding user. Turns out that these also hang out in memory and can be extracted with Mimikatz:
privilege::debug
sekurlsa::ekeys
These keys can be injected into a command environment just like an NTLM hash, though you need to know how they’re encrypted. For example, for an AES256 encrypted key:
token::revert
sekurlsa::pth /user:$TARGET_USER /domain:$TARGET_DOMAIN /aes256:$TARGET_USER_KERBEROS_KEY /run:"$FULL_COMMAND_INCLUDING_ARGUMENTS"
Other options include /aes128 and /rc4 for those styles of encryption, though RC4 isn’t something that you’re likely to see as it’s weak and disabled by default. (Because of a historical quirk, the RC4 key is actually not a timestamp, but rather the user’s NTLM hash. So iff RC4 is enabled on a domain, then extracting a user’s NTLM hash is sufficient to request Kerberos TGTs as that user!)