Silver Ticket

Silver Tickets are forged Kerberos service tickets (TGS) that allow attackers to authenticate to specific services without ever interacting with a Domain Controller (DC), making them a highly stealthy technique. Unlike Golden Tickets, which target the Kerberos TGT and require the krbtgt hash for domain-wide impersonation, Silver Tickets focus on a narrower scope: service-level access on a specific host. The attack hinges on the compromise of a service account’s secret—typically its NTLM hash or AES key.

When a client requests access to a service via Kerberos, the DC issues a TGS encrypted with the service account’s key. However, if an attacker already possesses this key—often extracted from memory using tools like Mimikatz—they can forge a TGS offline. Since the target service only verifies the ticket using its own key and doesn’t consult the DC, forged Silver Tickets can appear entirely legitimate from the service’s perspective.

In practice, this allows red teamers to impersonate any user, including privileged ones, when accessing services like SMB (CIFS) and HTTP (e.g., for WinRM). For instance, compromising a machine account (e.g., dcorp-dc$), which often runs various services, can unlock broad access to services hosted on that system. These machine accounts rotate their passwords every 30 days by default, limiting the long-term usefulness of the ticket for persistence, but offering a powerful short-term privilege escalation vector.

Service (SPN)

Provides Access To

HTTP

WinRM (Windows Remote Management)

CIFS

File system (SMB shares)

HOST

Scheduled tasks, remote service control, WMI (partial, combined with RPCSS)

RPCSS

WMI (combined with HOST), DCOM/RPC endpoint mapper

LDAP

DCSync (requires elevated permissions)

The effectiveness of Silver Ticket attacks is often boosted by the lack of strict Privilege Attribute Certificate (PAC) validation on many services. Without PAC validation, services accept forged tickets without verifying user group memberships with the DC. While Microsoft introduced PAC_REQUESTOR validation post-October 2022 to mitigate such attacks—especially for non-existent users—this check is not universally enforced, particularly on non-critical services.

Once injected into memory, the forged ticket allows immediate access to the target service as the specified user. The attack remains largely undetected by traditional DC-side logging, as the ticket is never requested from the DC. This OPSEC-safe nature makes it attractive for stealth operations, and many detection platforms, including Microsoft Defender for Identity (MDI), may overlook such activity since AP-REQ traffic doesn’t always raise flags.

Tools

Proper construction of the Service Principal Name (SPN) is critical: it must conform to Kerberos naming conventions (e.g., HTTP/web04.corp.com) rather than URL formats and is case-sensitive in some deployments.

A service ticket can be forget with Rubeus. Similar to the Golden Ticket attack, the /ldap flag is used to query the DC for user information:

# Forge a ST with Rubeus
.\Rubeus.exe silver /service:http/dcorp-dc.dollarcorp.moneycorp.local /rc4:<rc4> /sid:<domainSID> /ldap /user:Administrator /domain:dollarcorp.moneycorp.local /ptt

Forging a service ticket with Mimikatz:

# Forge a ST with Mimikatz
.\mimikatz.exe "kerberos::golden /sid:<domainSID> /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:<rc4> /user:jeffadmin" "exit"

PreviousShadow Copies NextSkeleton Key

Last updated 2 days ago

Was this helpful?