Steal or Forge Kerberos Tickets: Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.[1]

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.[2]

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

ID: T1558.002
Sub-technique of:  T1558
Platforms: Windows
Permissions Required: User
Version: 1.0
Created: 11 February 2020
Last Modified: 25 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0363 Empire

Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.[3]

S0002 Mimikatz

Mimikatz's kerberos module can create silver tickets.[4]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[5]

M1027 Password Policies

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[5] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[5]

M1026 Privileged Account Management

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[5]

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Metadata

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).[2]

Monitor for unexpected processes interacting with lsass.exe.[6] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.

References