Silver Ticket Attack Threat Overview:Forged Service Tickets Silver Tickets enable an attacker to create forged service tickets (TGS tickets) that are used to access compromised service accounts. The Kerberos Silver Ticket is a valid Ticket Granting Service (TGS) Kerberos ticket that has been encrypted/signed by the service account configured with a Service Principal Name (SPN). How a Silver Ticket Attack Works The following is a summary of how the attack works: Extract NTLM password hash for either a service account
Group Policy Preferences allow administrators to create and manage local accounts on servers and workstations in an Active Directory domain. Attackers can easily find and obtain the encrypted passwords of administrative account credentials managed by Group Policy Preferences and decrypt them using the Microsoft-published AES key.
Password Spraying is a technique attackers leverage to guess the password of an account. By trying a small number of highly common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold, the attacker can compromise accounts without any elevated privileges and likely without detection.
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.
Threat (Privilege Escalation) Forged PAC is a privilege escalation method that allows an attacker to be able to forge the Privilege Account Certificate (PAC) in a Kerberos ticket to gain access to resources they didn’t previously have before. How Forged PAC Works Using a Silver Ticket An attacker gains access to a service account password or password hash using any number of methods, including Kerberoasting, DCSync, LSASS Injection or NTDS.dit Compromise. If attacker has a password, then they need to