T1558.002: Silver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
active_directory_attacks: PT-CR-836: Kerberos_Silver_Ticket: A Silver Ticket attack has been detected, allowing an attacker to obtain a TGS ticket to access a certain service on behalf of any user. Using the received TGS ticket will allow an attacker to increase privileges and completely compromise the node
active_directory_attacks: PT-CR-838: ShadowCred_Used: The use of the msds-keycredentiallink attribute to authorize a machine account in a domain without using a password was detected. This is a sign of using KrbRelayUp to locally elevate privileges using Shadow Credentials. An attacker can use this to obtain the credentials of other users and horizontally move to other infrastructure nodes
Detection
ID | DS0028 | Data source and component | Logon Session: Logon Session Metadata | Description | Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). |
---|
Mitigation
ID | M1027 | Name | Password Policies | Description | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. |
---|
ID | M1041 | Name | Encrypt Sensitive Information | Description | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. |
---|