Silver Ticket attacks use counterfeit tickets granting service (TGS) on compromised systems that connect to an Active Directory enterprise domain, in order to maintain persistence on compromised machines and conduct unlawful activities without raising alarms. These exploits allow attackers to remain undetected for extended periods while carrying out illicit activity without raising red flags.
These attacks bypass various security measures such as Privileged Account Management solutions and MFA solutions by exploiting the Kerberos protocol rather than user accounts. Elastic Security helps prevent these attacks by analyzing logon events, ticket timestamps and scans for suspicious access patterns.
What is a Silver Ticket Attack?
Silver ticket attacks exploit vulnerabilities in Kerberos, the network security protocol which authenticates service requests using secret-key cryptography. They share some characteristics with golden and diamond tickets attacks; however, the silver ticket attack differs by targeting only one service rather than all domains at once; this makes it a much more dangerous threat because most cybersecurity measures like MFAs and firewalls cannot stop it.
Attackers can utilize tools such as mimikatz or kerberoast to crack password hashes of local computer accounts and then forge ticket-granting service (TGS) tickets that grant access to services without first communicating with their DC. This gives attackers access to services on compromised systems without communicating directly with DC.
Avoiding attacks of this nature requires all users to have passwords of at least 30 characters that they regularly change, implement security best practices for services, and enable privileged attribute certificate validation for Kerberos. Varonis monitors for such attacks, alerting on anomalous activity in attack kill chains such as lateral movement or privilege escalation as well as attempts at forgery of authentication tickets.
How Does a Silver Ticket Attack Work?
Silver Ticket attacks use Kerberos protocol vulnerabilities to gain privileged access to domain-joined systems, with service tickets not communicating directly with DCs but rather verified through third-party Privileged Account Certificates (PAC), making it easier for attackers to forge these tickets and gain unauthorized entry. These attacks can be hard to detect as service tickets don’t communicate directly with DCs and only verify via third party Privileged Account Certificates – making detection difficult.
As part of their attack strategy, attackers must collect information on both their target service and local user or computer where it’s occurring. This can be achieved using OS credential dumping tools like Mimikatz or installing malware to gather password hashes and SPNs of targeted services.
Once attackers possess this information, they can utilize a tool to obtain the local NTLM hash and decrypt password. They then forge a Kerberos ticket granting service ticket (TGS), and present it to targeted services for authentication.
Varonis can assist organizations in recognizing signs that indicate a Silver Ticket attack is taking place and protect against it by monitoring user accounts, servers, and network defenses – as well as conducting network defense analyses to uncover anomalous activity that might point towards attacks such as lateral movement, privilege escalation or Silver Ticket attacks. Request a demo now to learn how our security analytics solution can detect anomalous patterns that indicate attacks – like Silver Ticket attacks!
Step 1. Gather information
To create a Silver Ticket, attackers must first gain entry to an unprotected computer via phishing campaigns, malware infections or misconfigured IT assets that have vulnerabilities that they exploit. Once inside, tools like Mimikatz must then be used to gain service account password hashes as well as SPN and domain details like domain name and local Security Identification Number (SID).
Once they possess this information, attackers can create TGS tickets using the stolen hash to authenticate with services directly, bypassing KDC authentication. They then can use these fraudulent tickets to elevate privileges until they gain full control of the environment.
To combat these attacks, organizations should implement privileged account management solutions with strong encryption algorithms and password policies that prohibit password reuse while encouraging frequent password changes by their users. Furthermore, systems should not share administrative privileges across security boundaries and OS features that support such attacks should be disabled to keep such attacks at bay. Lastly, an SIEM solution should be configured to automatically respond to alerts of silver ticket activity by disabling compromised accounts or activating MFA as soon as they detect such activity.
Step 2. Use a tool to obtain the local NTLM hash
Like with any cyberattack, it’s crucial to detect and thwart attacks before they compromise your data. To do so effectively, you need to monitor an attack as it unfolds to understand how attackers operate, thus blocking their efforts before it spreads further. Security information and event management (SIEM) solutions such as Elastic Security, Swimlane SOAR and CyberArk PAM can assist you in detecting IoCs associated with Silver Ticket attacks early enough that contain it before further spread occurs.
Attackers use tools like Mimikatz or offline cracking techniques (such as Kerberoasting) to uncover a service’s local NTLM hash (password hash), often obtained through compromise of either its Security Account Manager or local service account. Once they possess this hash, attackers can generate ticket granting service (TGS) tickets which allow them to authenticate to that host and service.
To prevent Silver Ticket attacks, it’s essential that organizations employ a least privilege approach by restricting user and administrator accounts according to their needs; enforcing two-factor authentication (2FA); regularly patching and monitoring your network; as well as performing regular patching. Varonis security analytics ingest activity data from both perimeter and enterprise domains in order to detect abnormal behaviors like lateral movement or privilege escalation which may indicate an attack attempt.
Step 3. Obtain the unencrypted password from NTLM
Attackers may gain low-level access to an environment via phishing campaigns, malware infections and misconfigured IT assets. Once compromised systems have been secured by attackers, they can use tools like Mimikatz to dump local NTLM hashes from Security Account Manager (SAM) accounts or service accounts in order to get hold of unencrypted passwords for targeted services.
Once an attacker obtains the password, they can create their own Kerberos ticket granting service (TGS) ticket and authenticate to the target system. Because these TGS tickets don’t verify signatures, the system will trust any fake tickets presented as authentication tokens by attackers – giving them free rein to move laterally across compromised environments or elevate privileges up to Domain Administrator level.
Silver Ticket attacks require a multi-layered security strategy for detection. To minimize risk from these attacks, enterprises should ensure service accounts don’t store sensitive information; enforce strong password policies for both users and service accounts; implement least privilege models; audit for lateral movement across networks and enable TGS ticket validation; as well as implement least privilege models that detect lateral movement within networks and enable audit for TGS ticket validation. A comprehensive enterprise data protection platform such as Varonis can assist enterprises in mitigating Silver Ticket attacks by classifying accounts into user, service or privilege statuses while alerting on anomalous activity that could indicate a cyberattack attempt.
Step 4. Forge a Kerberos ticket granting service
Attackers can now use the information gathered to forge a Kerberos ticket granting service (TGS). To do this, they can compromise an account linked to their target service – typically the computer account – in order to create the TGS and use it authenticate against services and move laterally across compromised networks environments.
In order to forge a TGS, attackers require access to both password hashes and service principal names for the target service, which they could obtain either by breaking into end-user accounts or installing malware such as Mimikatz.
An effective monitoring and detection system that includes intrusion detection, anomaly detection, log analysis, strong password requirements and two-factor authentication can assist in the early identification of attacks in progress. Implementing security best practices such as strong password requirements and two-factor authentication for all accounts as well as using managed service accounts with minimum privileges necessary to perform functions as well as enabling PAC validation on TGS requests can significantly lower Silver Tickets effectiveness while using 2FA to login into Active Directory can prevent attacks from becoming escalated by moving past initially targeted hosts to gain entry to other servers within that domain.
Step 5. Use the forged tickets for financial gain
Tickets to concerts and sporting events often cost hundreds of dollars at face value, making them a prime target for scam artists looking to prey upon people trying to attend these shows. Crooks typically demand payment via gift cards, wire transfers or P2P apps like Zelle or Venmo; such transactions often cannot be tracked and cannot be reversed, giving thieves the perfect opportunity to steal tickets before running away with them.
Consumers can avoid falling prey to ticket scams by using online resources to locate legitimate resellers and purchasing tickets only from vendors who accept credit cards – this gives extra protection if it turns out the tickets are counterfeit.
Organizations can utilize monitoring and detection mechanisms to detect suspicious activity, including Silver Ticket attacks. Measures may include using Privileged Account Management solutions that restrict stolen password use as well as network segmentation to limit horizontal movement. Adding two-factor authentication (2FA) as a safeguard may help lessen their impact by providing another layer of verification before accessing sensitive data.
What Can Attackers Do With a Silver Ticket?
Although not as powerful, Silver Tickets allow attackers to create fake ticket-granting service (TGS) tickets on compromised systems, bypassing most cybersecurity measures including Privileged Account Management solutions which limit stolen password usage, Multi-Factor Authentication (MFA), and OS exploit mitigation methods like Windows ATP locking or UEFI BIOS lockout solutions.
Once attackers gain access to stolen hashes from service accounts, they can use these hashes to forge TGS tickets that allow them to gain entry to specific services. This is particularly dangerous given most services do not verify signatures in TGS tickets allowing adversaries to leverage these tickets laterally across networks.
Organizations can combat Silver Ticket attacks by deploying robust monitoring and detection mechanisms. Furthermore, organizations should increase security awareness through training programs to reduce risks related to phishing attacks and password reuse, implement least privilege models that limit local user, administrator and service account privileges to only what’s necessary and use strong encryption to protect credentials against offline cracking by malware.
Defending Against a Silver Ticket Attack
To launch a Silver Ticket Attack, attackers must first gain control of a compromised system environment via malware infection or cyberattack. Once in, they can use tools like Mimikatz to gather data such as local domain security identifier and DNS name of targeted services.
Once an attacker obtains a service ticket, they can create TGS tickets to escalate privileges across a network – bypassing most cybersecurity measures including Privileged Account Management solutions and MFA solutions.
How to Defend Yourself from a Silver Ticket Attack?
Defense against Silver Ticket attacks requires diligence, the right tools, and an effective approach. Varonis can assist in recognizing suspicious activity by classifying accounts into user, service, and privileged categories and comparing current activity against past patterns – this helps identify suspicious lateral movement or privilege escalation activities and alert you accordingly.
To carry out this attack, attackers first gain control of the system environment through phishing campaigns, exploiting vulnerable or misconfigured IT assets or malware infections. Once in control, they use Mimikatz or similar hacking tools to crack NTLM hashes.
TGS tickets allow attackers to gain access to services that do not verify signatures, making TGS attacks harder to detect compared to Golden Ticket attacks as logon logging is local on each computer involved.
What is Kerberoast?
Kerberoast attacks are advanced penetration techniques that involve obtaining service account passwords from compromised systems connected to a network using Mimikatz to extract service tickets and decipher associated password hashes – thus bypassing authentication systems and gaining lateral movement on it.
Attackers gain entry to your privileged accounts by either exploiting one of your domain users or purchasing user credentials on the dark web. Once inside, they use this forged ticket to authenticate to any service in the network with lower level permission levels, manipulating TGS to elevate privileges or steal more sensitive data.
Security threats posed by this form of attack are compounded by the high privileges often given to service accounts, enabling attackers to move lateraly through networks more easily. Organizations can reduce this threat by following the principle of least privilege and providing administrator permission sparingly to service accounts.
Mitigation Strategies for Silver Ticket Attacks
Silver Ticket attacks pose a substantial threat to network security, but require diligent monitoring and the appropriate tools in order to detect.
Adversaries use hacking tools like Mimikatz to harvest credentials from compromised endpoints, extract the password hash and SPN of targeted services, then create ticket-granting service (TGS) tickets for them to gain entry to servers unauthorizedly and escalate privileges or exploit vulnerabilities across an environment. This gives attackers the chance to move laterally across compromised environments while increasing privileges or exploiting vulnerabilities further down the chain.
Implementing a least-privileged model for service accounts, auditing password reuse, and mandating strong passwords are three effective strategies to lower the risk of an attack. Varonis security analytics track anomalous activity within Active Directory and data storage – such as lateral movement, privilege escalation or suspicious activities – and alert when such events arise.
How To Respond to A Silver Ticket Attack?
The silver ticket attack is an advanced cyberattack that takes advantage of vulnerabilities in Kerberos authentication systems to gain unauthorised access to targeted services and engage in illegal activity such as lateral movement or data exfiltration without raising alarms. By forging ticket-granting service (TGS) tickets, attackers gain unauthorized entry and gain unauthorized entry without raising alarms.
An adversary wishing to generate a silver ticket must first obtain the target service account’s NTLM hash; this can be accomplished using OS credential dumping techniques such as Mimikatz or by exploiting compromised hosts.
Once an attacker gains access to an individual service account’s NTLM password hash, they can use it to generate an TGS ticket without speaking with DC and so becoming harder to detect; network taps and span port devices won’t catch it reliably; in order to stay vigilant organizations must monitor local logon events as well as use threat detection technologies that search for indicators of compromise (IoCs) across individual hosts in order to detect abnormalities and potentially compromises.
Final Thoughts
This attack can be much harder to detect than its Golden Ticket counterpart as it requires exploiting a user with greater privilege in your domain. With this method, adversaries can forge TGS tickets and access services they wouldn’t normally be able to gain access to with Golden Tickets alone.
Both Blue and Red teams must understand this type of attack, its workings, and any possible mitigation controls that can be put in place to defend against it. A reliable log collecting service which analyzes Windows security logs and can identify fraudulent tickets is also recommended.
Both these attacks require the compromise of Tier-0 accounts, making security hygiene practices for these accounts all the more crucial in order to reduce privilege abuse and safeguard data integrity. Furthermore, restricting logon hours via Active Directory GPO could prevent attackers from forging tickets during such times.