Silver Ticket Attack
A Silver Ticket attack forges Kerberos TGS tickets using a compromised service account hash, granting unauthorized access to specific services without contacting the domain controller.
A Silver Ticket attack forges Kerberos TGS tickets using a compromised service account hash, granting unauthorized access to specific services without contacting the domain controller.
Continue your mission
A Silver Ticket attack is a post-exploitation technique that exploits Kerberos authentication by forging a Ticket Granting Service (TGS) ticket. Unlike a Golden Ticket, which targets the Key Distribution Center (KDC), a Silver Ticket is scoped to a single service. The attacker uses a compromised service account's NTLM hash to craft a valid TGS ticket, granting unauthorized access to that specific service without contacting the domain controller.
The attacker first compromises a service account and extracts its NTLM password hash, often through credential dumping tools like Mimikatz. With this hash, the attacker constructs a forged TGS ticket offline, specifying any user identity and privileges they choose. Because the domain controller is never contacted during TGS validation for many services, the forged ticket is accepted by the target service. The attacker can then authenticate as any user, including domain administrators, to that service. Common targets include file shares (CIFS), SQL Server, and web applications running under service accounts.
Silver Ticket attacks are particularly dangerous because they bypass centralized logging and detection mechanisms. Since no TGT request is made to the domain controller, standard Kerberos audit logs will not capture the authentication event. This makes the attack stealthy and difficult to detect with conventional monitoring. Organizations must implement service account hygiene, rotate service account passwords regularly, enable advanced Kerberos logging, and consider deploying Privileged Access Management solutions to reduce the attack surface for Silver Ticket exploitation.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.