A Silver Ticket attack is a post-exploitation technique that exploits Kerberos authentication by forging a Ticket Granting Service (TGS) ticket. Unlike a Golden Ticket, which targets the Key Distribution Center (KDC), a Silver Ticket is scoped to a single service. The attacker uses a compromised service account's NTLM hash to craft a valid TGS ticket, granting unauthorized access to that specific service without contacting the domain controller.
The attacker first compromises a service account and extracts its NTLM password hash, often through credential dumping tools like Mimikatz. With this hash, the attacker constructs a forged TGS ticket offline, specifying any user identity and privileges they choose. Because the domain controller is never contacted during TGS validation for many services, the forged ticket is accepted by the target service. The attacker can then authenticate as any user, including domain administrators, to that service. Common targets include file shares (CIFS), SQL Server, and web applications running under service accounts.
Silver Ticket attacks are particularly dangerous because they bypass centralized logging and detection mechanisms. Since no TGT request is made to the domain controller, standard Kerberos audit logs will not capture the authentication event. This makes the attack stealthy and difficult to detect with conventional monitoring. Organizations must implement service account hygiene, rotate service account passwords regularly, enable advanced Kerberos logging, and consider deploying Privileged Access Management solutions to reduce the attack surface for Silver Ticket exploitation.