Silver Tickets
While most of the attention goes towards Golden Tickets as a means of persistence, Silver Tickets are also an effective method, and arguably quieter as well.
The difference is that while the scope is much larger if you use Golden Tickets, Silver Tickets limit your access to the service you wish to target.
Silver Tickets can be forged to gain access to a service in an AD if you are able to obtain the password hash of the service account running that service. That is because Ticket Granting Service (TGS) tickets are signed and encrypted with the hash of the account running the service. Therefore, having the hash of this account enables you to forge TGS tickets.
It should be noted that not only can you forge Silver Tickets from the hashes of service accounts, but can be done computer account hashes as well since these accounts run many services on the machine (like CIFS) as the local system. The computer hash does not have to be a Domain Controller hash. A computer that has access to the Domain Controller via group membership works as well.
Just like Golden Tickets, the forged ticket can be created on behalf of any user, including fake accounts.
If the Privileged Attribute Certificate (PAC) is not validated inside the TGS, it can be manipulated to elevate the account's privileges to that of an Admin.
A common method to obtain a service account hash is through kerberoasting.
I have explained already the Kerberos Authentication mechanism here.
There are 3 reasons why this persistence technique is so effective:
The hash of a service account is easier to obtain than that of the krbtgt.
It bypasses steps 1-4 of the Kerberos Authentication process altogether, meaning that forging a ticket requires no communication whatsoever with the Domain Controller. Log events will only be seen from the machines running the services you want to gain access to.
While computer account passwords are typically changed every 30 days, this can be disabled[1]. Regardless, 30 days to persist with this hash is still a reasonable amount of time.
With Rubeus.exe
With Mimikatz
Getting the Service Account or Computer Hashes
The General Command to Issue the Ticket
The '/ptt' command injects the ticket into memory
You can also use the '/ticket' command instead to save the ticket into a file
Accessing Shares on the DC Using the DC Computer Hash
Creating a Silver Ticket That Allows You to Build and Run Scheduled Tasks as a Method of Persistence
Then Build and Run a Scheduled Task
Using Silver Tickets to Create a New Powershell Remoting Session
This attack requires two tickets, one for the http and the other for the wsman SPN
Using Silver Tickets to Gain Access to LDAP Services
Then you can run DCSync to get the krbtgt creds
Using Silver Tickets to Gain Access to Services Running on HTTP
Using Silver Tickets to Access WMI
Requires tickets for both HOST and RPCSS
With Impacket
Ticketer.py
GetST.py
Mitigations
Have good control over the service accounts. Limit their access as best as you can in order to minimize the chances of the accounts being compromised.
Monitor the logon events on the local machines and use ATA to try and correlate TGS requests with TGT requests to the DC.
Make sure no computer accounts are members of admin groups and check regularly whether there are any computer accounts in admin groups.
Make sure that computer account passwords are changed regularly.
References
[1] https://adsecurity.org/?p=2753
Last updated