Skip to content

T1558.002 Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.1

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.2

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

Item Value
ID T1558.002
Sub-techniques T1558.001, T1558.002, T1558.003, T1558.004
Tactics TA0006
Platforms Windows
Permissions required User
Version 1.0
Created 11 February 2020
Last Modified 25 March 2020

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.7
S0363 Empire Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.5
S0002 Mimikatz Mimikatz‘s kerberos module can create silver tickets.8
S1071 Rubeus Rubeus can create silver tickets.6


ID Mitigation Description
M1041 Encrypt Sensitive Information Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.4
M1027 Password Policies Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.4 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.4
M1026 Privileged Account Management Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.4


ID Data Source Data Component
DS0028 Logon Session Logon Session Metadata