Steal or Forge Kerberos Tickets: Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.[1]

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.[2]

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

ID: T1558.002
Sub-technique of:  T1558
Platforms: Windows
Permissions Required: User
Version: 1.0
Created: 11 February 2020
Last Modified: 25 March 2020

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.[3]

S0363 Empire

Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.[4]

S0002 Mimikatz

Mimikatz's kerberos module can create silver tickets.[5]

S1071 Rubeus

Rubeus can create silver tickets.[6]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[7]

M1027 Password Policies

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[7] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[7]

M1026 Privileged Account Management

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[7]

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Metadata

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).

References