Silver Ticket

Information

• Name: Silver Ticket

• ID: T1558.002

• Tactics: TA0006

• Technique: T1558

Introduction

Silver Ticket attacks (MITRE ATT&CK sub-technique T1558.002) involve forging Kerberos authentication tickets using compromised service account credentials, specifically the service account's NTLM hash. Unlike Golden Tickets, which are forged Ticket Granting Tickets (TGTs), Silver Tickets are forged Ticket Granting Service (TGS) tickets, granting attackers unauthorized access to specific services on a network without interacting directly with the Key Distribution Center (KDC). This technique enables attackers to maintain persistence and access resources stealthily within an Active Directory environment.

Deep Dive Into Technique

Silver Ticket attacks exploit the Kerberos authentication mechanism by creating forged TGS tickets using the NTLM hash of a compromised service account. The attacker must first obtain the NTLM hash of the service account associated with a specific service (such as HTTP, CIFS, MSSQL, or LDAP). Once the hash is acquired, attackers can craft a valid-looking TGS ticket offline, without communicating directly with the domain controller (KDC).

Technical Steps:

1. Hash Extraction: Attackers compromise a service account or extract NTLM hashes from memory (e.g., using Mimikatz, Rubeus, or Impacket).

2. Ticket Forging: Using the acquired NTLM hash, attackers create a forged TGS ticket offline. Tools such as Mimikatz or Rubeus are commonly used for this purpose.

3. Ticket Injection: The attacker injects the forged ticket into their session, typically using tools like Mimikatz or Rubeus, allowing them to authenticate directly to the targeted service.

4. Service Access: With the forged TGS ticket, attackers gain unauthorized access to the targeted service without needing further authentication from the KDC.

Characteristics of Silver Tickets:

• Valid for specific services only, not for the entire domain.

• Do not require direct interaction with the domain controller during ticket generation.

• Difficult to detect due to minimal interaction with domain controllers.

• Can be configured with arbitrary ticket lifetimes, allowing attackers prolonged persistence.

When this Technique is Usually Used

Attackers commonly employ Silver Ticket attacks during various stages of a cyberattack lifecycle, including:

• Persistence: Maintaining stealthy access to specific services, even after initial credential compromise has been remediated.

• Privilege Escalation: Gaining access to sensitive resources or services that require higher-level privileges.

• Lateral Movement: Moving laterally within a network by accessing services on other hosts without direct credential use.

• Data Exfiltration: Accessing sensitive databases or file shares to extract confidential information.

• Defense Evasion: Avoiding detection by bypassing standard authentication mechanisms and minimizing interaction with domain controllers.

How this Technique is Usually Detected

Detection of Silver Ticket attacks can be challenging due to their stealthy nature, but several methods can assist in identifying their presence:

• Event Log Monitoring:

  • Monitor Windows Security Event Logs for anomalies, such as authentication events (Event IDs 4624, 4768, 4769) that do not correlate with prior TGT requests.

  • Detect unusual or unexpected service ticket usage patterns, such as TGS tickets with unusually long lifetimes or unusual encryption types.

• Kerberos Protocol Anomalies:

  • Identify discrepancies or anomalies in Kerberos ticket encryption types or ticket attributes.

  • Monitor for Kerberos tickets issued without corresponding authentication events from the KDC.

• Behavioral Analysis:

  • Implement behavioral analytics tools (such as Microsoft ATA, Azure ATP, or Splunk UBA) to detect abnormal user or service account behaviors.

  • Alert on suspicious lateral movement activities or unusual service access patterns.

• Endpoint Detection and Response (EDR):

  • Deploy advanced endpoint detection solutions capable of detecting suspicious ticket injection activities (e.g., Mimikatz, Rubeus execution).

  • Identify tools and scripts commonly used in Silver Ticket attacks through process monitoring and memory analysis.

Indicators of Compromise (IoCs):

• Presence of known attack tools (Mimikatz, Rubeus, Impacket) on endpoints.

• Unexpected or anomalous service ticket requests.

• Kerberos tickets with abnormal lifetimes or unexpected encryption types.

• Authentication events without corresponding TGT requests.

Why it is Important to Detect This Technique

Detecting Silver Ticket attacks is critical due to the significant risks they pose to organizational security:

• Persistent Unauthorized Access: Attackers can maintain long-term stealthy access to critical services and resources, even after initial compromise remediation.

• Privilege Escalation and Lateral Movement: Attackers can escalate privileges, access sensitive resources, and move laterally across the network undetected.

• Data Theft and Exfiltration: Unauthorized access to sensitive databases, file shares, or applications can lead to data breaches, intellectual property theft, or exposure of confidential information.

• Defense Evasion: Silver Tickets bypass standard authentication and monitoring mechanisms, making detection and response significantly more challenging.

• Reputational Damage and Compliance Issues: Undetected Silver Ticket attacks can lead to severe regulatory compliance violations, financial penalties, reputational damage, and loss of customer trust.

Early detection and remediation of Silver Ticket attacks are crucial to minimize the potential impact and prevent attackers from establishing persistent footholds within the network.

Examples

Real-world examples and attack scenarios involving Silver Ticket attacks include:

• Advanced Persistent Threat (APT) Groups:

  • Nation-state attackers frequently leverage Silver Tickets to maintain stealthy persistence within high-value targets, such as government agencies or defense contractors.

  • Example: APT29 (Cozy Bear) has been known to use Kerberos-related attacks, including Silver and Golden Tickets, to maintain persistent access.

• Penetration Testing and Red Team Exercises:

  • Security professionals routinely use tools such as Mimikatz and Rubeus during penetration tests to demonstrate the risks associated with Silver Ticket attacks.

  • Example scenario: Red team operators compromise a service account NTLM hash, forge Silver Tickets, and gain unauthorized access to sensitive SQL databases, demonstrating potential impacts.

• Corporate Network Breaches:

  • Attackers targeting corporate environments often use Silver Tickets to access file servers, databases, or critical infrastructure services without detection.

  • Example: In a documented incident, attackers compromised a web application service account, forged Silver Tickets, and accessed sensitive HR databases containing employee records.

Tools Commonly Used:

• Mimikatz: Widely used tool capable of extracting hashes, forging Kerberos tickets, and injecting tickets into memory.

• Rubeus: A versatile tool written in C# designed for Kerberos interaction, ticket forging, and injection.

• Impacket: Python-based toolkit frequently used to interact with Kerberos and Active Directory services, facilitating ticket-based attacks.

Impacts Observed in Real-world Cases:

• Long-term, undetected persistence within compromised environments.

• Unauthorized access to sensitive data, resulting in data breaches.

• Significant financial and reputational damages due to prolonged attacker presence and data exfiltration.

Understanding these real-world scenarios emphasizes the necessity of robust detection and prevention strategies against Silver Ticket attacks.