Silver Ticket Attack Threat Overview:Forged Service Tickets Silver Tickets enable an attacker to create forged service tickets (TGS tickets) that are used to access compromised service accounts. The Kerberos Silver Ticket is a valid Ticket Granting Service (TGS) Kerberos ticket that has been encrypted/signed by the service account configured with a Service Principal Name (SPN). How a Silver Ticket Attack Works The following is a summary of how the attack works: Extract NTLM password hash for either a service account
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.
By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.
Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.