T1558.002 Silver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.1
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.2
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
| Item | Value |
|---|---|
| ID | T1558.002 |
| Sub-techniques | T1558.001, T1558.002, T1558.003, T1558.004 |
| Tactics | TA0006 |
| Platforms | Windows |
| Permissions required | User |
| Version | 1.0 |
| Created | 11 February 2020 |
| Last Modified | 25 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0677 | AADInternals | AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.7 |
| S0363 | Empire | Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.5 |
| S0002 | Mimikatz | Mimikatz‘s kerberos module can create silver tickets.8 |
| S1071 | Rubeus | Rubeus can create silver tickets.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Encrypt Sensitive Information | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.4 |
| M1027 | Password Policies | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.4 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.4 |
| M1026 | Privileged Account Management | Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.4 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0028 | Logon Session | Logon Session Metadata |
References
-
Sean Metcalf. (2015, November 17). How Attackers Use Kerberos Silver Tickets to Exploit Systems. Retrieved February 27, 2020. ↩
-
Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. ↩
-
French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. ↩
-
Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. ↩↩↩↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. ↩
-
Deply, B., Le Toux, V.. (2016, June 5). module ~ kerberos. Retrieved March 17, 2020. ↩