Silver Ticket Attack Threat Overview:Forged Service Tickets

Silver Tickets enable an attacker to create forged service tickets (TGS tickets) that are used to access compromised service accounts. The Kerberos Silver Ticket is a valid Ticket Granting Service (TGS) Kerberos ticket that has been encrypted/signed by the service account configured with a Service Principal Name (SPN).

How a Silver Ticket Attack Works

The following is a summary of how the attack works:

1. Extract NTLM password hash for either a service account running a service on a computer or the computer account itself (e.g. via Kerberoasting or by obtain local administrator accounts on a host)
2. Using the Mimikatz command “kerberos::golden”, pass the Domain SID, Target host name, Service name, User name and Group information to create the Silver Ticket
3. Inject the fake ticket into memory and remotely access the target service

Important Notes about Silver Ticket Attacks:

• The attacker does not need to authenticate the account to the domain controller to obtain the forged TGS.
• The forged TGS ticket can be created on behalf of any user account
• The Privileged Attribute Certificate (PAC) within the TGS ticket can also be manipulated, elevating the account’s access to that of a Domain Administrator

Silver Ticket Video Tutorial

Watch this brief video of a Silver Ticket attack in action:

Mitigations, Detections, and Preventions for Silver Ticket Attack

Detecting Silver Tickets can be very difficult since this bypasses the entire TGT portion of authentication and cannot be monitored by looking at Domain Controller logs. The best way to prevent these attacks is to enforce proper security over service accounts to avoid having these accounts compromised to begin with. Monitoring for logon anomalies using local logon events, such as the one shown above, can also be effective in protecting your organization. Additional mitigation steps:

• Limit credential overlap across systems to prevent the damage of credential compromise
• Ensure that local administrator accounts have complex, unique passwords
• Do not allow a user to be a local administrator for multiple systems
• Limit domain admin account permissions to domain controllers and limited servers
• Delegate other admin functions to separate accounts

Addtional Resources

Silver Ticket Attacks Resources:

• https://blog.stealthbits.com/impersonating-service-accounts-with-silver-tickets/
• https://attack.mitre.org/techniques/T1097//

Related Attacks & Concepts:

• https://attack.stealthbits.com/how-golden-ticket-attack-works

Solutions:

• https://www.stealthbits.com/stealthaudit-for-active-directory-product
• https://www.stealthbits.com/stealthintercept-product