A Silver Ticket attack is another type of Kerberos-based attack, similar to the Golden Ticket—but more targeted and stealthy. Here’s a breakdown:
🎫 What Is a Silver Ticket Attack?
A Silver Ticket is a forged Kerberos service ticket (TGS) that allows an attacker to access specific services without needing to interact with the domain controller. Unlike Golden Tickets, which grant full domain control, Silver Tickets are used to impersonate a specific service account.
🛠️ How It Works
To execute a Silver Ticket attack, an attacker typically follows these steps:
- Compromise a machine or account with local admin privileges.
- Extract the NTLM hash of a service account (e.g., SQL Server, IIS, etc.).
- Forge a service ticket (TGS) using tools like Mimikatz or Impacket.
- Authenticate directly to the service, bypassing the Key Distribution Center (KDC).
- Access the service as the impersonated account without raising alarms.
⚠️ Why It’s Dangerous
- No need to contact the KDC, making it harder to detect.
- Targeted access to specific services (e.g., file shares, databases).
- Bypasses MFA and PAM solutions that rely on centralized authentication.
- Can be used for lateral movement within the network.
🛡️ How to Defend Against It
Here are key strategies to prevent Silver Ticket attacks:
| Defense Strategy | Description |
|---|---|
| 🔐 Use Strong Service Account Passwords | Ensure passwords are long (30+ characters) and rotated regularly. |
| 🧾 Monitor Kerberos Ticket Activity | Look for anomalies in ticket timestamps, logon events, and service access patterns. |
| 🧍♂️ Apply Least Privilege Principle | Limit service account permissions to only what’s necessary. |
| 🧰 Use Threat Detection Tools | Tools like Microsoft Defender for Identity or Varonis can detect forged tickets and lateral movement. |
| 🧼 Clean Up Unused Service Accounts | Remove or disable accounts that are no longer needed. |
Here’s a solid guide to hardening your Kerberos environment to defend against attacks like Golden and Silver Tickets:
🛡️ Kerberos Hardening Checklist
🔐 1. Enforce Strong Encryption
- Disable RC4 encryption, which is vulnerable to attacks like Kerberoasting.
- Enable AES-256 encryption for all accounts and services.
- Update the
msDS-SupportedEncryptionTypesattribute for service accounts to prefer AES.
Learn more from Microsoft’s hardening guide.
🧾 2. Configure Kerberos Policy Settings
- Set maximum ticket lifetimes to reduce exposure:
- Service ticket: ≤ 10 hours
- User ticket: ≤ 10 hours
- Ticket renewal: ≤ 7 days
- Set clock skew tolerance to ≤ 5 minutes to prevent replay attacks.
A full step-by-step guide is available on GitHub.
🧍♂️ 3. Secure Service Accounts
- Use long, complex passwords (30+ characters).
- Rotate passwords regularly.
- Avoid using domain admin privileges for service accounts.
- Disable unused accounts and remove unnecessary delegation rights.
🧰 4. Monitor and Audit Kerberos Events
- Enable auditing for Kerberos events (IDs 4768, 4769, 4770).
- Watch for:
- Unusual ticket lifetimes
- Tickets issued for disabled or nonexistent accounts
- Service tickets without corresponding logon events
🧼 5. Reset KRBTGT Account Password (Twice)
- This invalidates all existing TGTs, including forged Golden Tickets.
- Must be done twice to fully purge old keys.
🧠 6. Educate and Segment Admin Access
- Implement tiered administration (Tier 0, 1, 2).
- Use Privileged Access Workstations (PAWs) for domain admins.
- Avoid using high-privilege accounts for daily tasks.
