In the complex world of cybersecurity, Golden Ticket and Silver Ticket attacks stand out as two crafty methods targeting the Kerberos authentication system. Although both attacks exploit the same system, their approaches, objectives, and implications differ. Here’s what you need to know about Silver Ticket attacks, including how they differ from Golden Ticket attacks.
What is a Silver Ticket attack?
A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket that is crafted for a specific service on a specific machine. A successful Silver Ticket attack gives the threat actor the ability to forge a service-specific Kerberos TGS for any service in the domain. This approach gives attackers narrower access than Golden Ticket attacks, which enable threat actors to forge a Kerberos Ticket Granting Ticket (TGT) for any user in the domain, thus granting an attacker domain-wide access.
In Silver Ticket attacks, access is limited to the specific service for which the ticket was crafted. However, the forged ticket does not need to be validated by the KDC after its creation. The stealthy Silver Ticket attack doesn’t grant the wide-ranging access of its Golden counterpart, but it can still cause significant harm when used for critical services like file servers or databases.
For example, if an attacker obtains the hash of a SQL Server service account, they can craft a Silver Ticket to access the SQL Server instance. Then, they can query databases or even inject malicious SQL commands, all without needing to request a TGS from the KDC.
Here are the steps that attackers follow in a Silver Ticket attack:
- The attacker compromises a service account or machine account to extract its NTLM hash.
- Using that hash, the attacker crafts a TGS for the specified service.
- The attacker presents the TGS to access the targeted service, without needing to interact with the KDC.
Both Golden Tickets and Silver Tickets are Kerberos ticket-forging attacks within Active Directory environments. Detecting both Golden and Silver Ticket attacks can be challenging because of the legitimate appearance of the forged tickets. However, specific indicators and tactics can help you identify these attacks.
How to detect a Silver Ticket attack
- Service mismatch: Watch out for any TGS that is presented to a service that didn’t request validation for it from the KDC. For instance, if a TGS for a SQL server is presented, but the KDC has no log of giving such a ticket, be highly suspicious.
- Event logs: Windows Event ID 4769 (on the targeted service’s machine) shows when a service ticket is used. If you do not see a corresponding Event ID 4768 (which shows a TGT being presented to the KDC for a TGS) for the same account in close proximity, a Silver Ticket attack might be underway.
- Ticket metadata anomalies: Forged tickets might contain metadata or permissions that don’t align with your organizational baseline or standard configurations.
- Abnormal service behavior: Look for services that are accessed at odd times or by accounts that typically don’t use the service.
How do Silver Ticket attacks differ from Golden Ticket attacks?
Like a Silver Ticket, a Golden Ticket is a forged Ticket Granting Ticket (TGT) that attackers create after gaining access to the domain’s KRBTGT account—the account used by the Key Distribution Center (TGTKDC) to encrypt and sign all TGTs. In other words, a Silver Ticket is a key to a specific room; a Golden Ticket is a key to the entire building.
Unlike the more specialized Silver Ticket attacks, Golden Ticket attacks enable persistent domain-wide access. The attacker can impersonate any user, elevate privileges, and access any service as long as the KRBTGT hash remains unchanged.
The true menace of a Golden Ticket lies in its broad reach. Attackers, once equipped with a Golden Ticket, can move laterally across the network, accessing various resources, manipulating user permissions, and even creating new credentials. The Golden Ticket is a master key, bypassing standard authentication and giving attackers extensive network privileges. For example, once an attacker gains the KRBTGT hash, they can craft a TGT for a Domain Administrator, then request TGSs for services such as File Shares, Remote Desktop, or any other service within the domain.
Silver Ticket attacks differ from Golden Ticket attacks in several ways:
- Scope: Golden Tickets provide domain-wide access, so anomalies can be more widespread. Silver Tickets target specific services.
- KDC interactions: Golden Ticket attacks interact with the KDC more frequently (to request TGSs for various services) than Silver Ticket attacks, which might bypass the KDC after the initial forged ticket creation.
- Logging: For Golden Tickets, both TGT and TGS logs should be inspected. For Silver Ticket attacks, emphasis should be on monitoring TGS logs, especially if they don’t correlate with TGT requests.
How can you defend against Silver Ticket attacks?
To effectively defend your environment against Silver Ticket attacks:
- Apply strict access controls and monitor privileged account activities. Purple Knight, Forest Druid, and Semperis Directory Services Protector (DSP) offer extensive visibility into Active Directory. Microsoft Advanced Threat Analytics (ATA) can also help detect suspicious activities within AD environments.
- Regularly review and audit Active Directory logs, preferably using a centralized log management solution or a solution like DSP, which catches activity that many event-monitoring tools miss.
- Implement advanced threat detection solutions like DSP, which analyzes and alerts on abnormal behavior.
Don’t give cyberattackers a free ticket
Silver Ticket attacks are more limited in scope than the infamous Golden Ticket attack, which can grant attackers domain-wide access. Still, the Silver Ticket attack’s stealthiness makes it a significant threat. Silver Ticket attacks bypass the need for TGT validation and can remain undetected unless you take specific auditing measures. Monitoring service accounts and applying the principle of least privilege throughout your environment are essential precautionary steps.
Both Golden and Silver Ticket attacks underscore the importance of regularly auditing and monitoring your Active Directory environment, employing least privilege principles, and ensuring robust security practices around service and privileged accounts.
The sheer audacity of these attacks highlights their potential damage. For organizations, understanding these nuances is pivotal. To mitigate the risk, regularly monitor for ticket anomalies, ensure time synchronization across servers, and review service account credentials. By recognizing the distinctive characteristics of both Golden and Silver Ticket attacks, enterprises can fortify their defenses, ensuring a more resilient network against Kerberos-based exploits.
Additional resources
