Steal or Forge Kerberos Tickets: Silver Ticket (T1558.002)

Tactic: Credential Access · Platforms: Windows

The interactive view maps 1 detection strategy, 3 mitigations, 4 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Steal or Forge Kerberos Tickets (T1558).

Overview

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

Explore