MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1558.002: Silver Ticket

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

active_directory_attacks: PT-CR-836: Kerberos_Silver_Ticket: A Silver Ticket attack has been detected, allowing an attacker to obtain a TGS ticket to access a certain service on behalf of any user. Using the received TGS ticket will allow an attacker to increase privileges and completely compromise the node
active_directory_attacks: PT-CR-838: ShadowCred_Used: The use of the msds-keycredentiallink attribute to authorize a machine account in a domain without using a password was detected. This is a sign of using KrbRelayUp to locally elevate privileges using Shadow Credentials. An attacker can use this to obtain the credentials of other users and horizontally move to other infrastructure nodes

Detection

IDDS0028Data source and componentLogon Session: Logon Session MetadataDescription

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).

Mitigation

IDM1027NamePassword PoliciesDescription

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting.

IDM1026NamePrivileged Account ManagementDescription

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.

IDM1041NameEncrypt Sensitive InformationDescription

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.