Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) | Attack Pattern | Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) | Attack Pattern | 1 |