Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: Silver Ticket through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for known services such as MSSQL etc., limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.XML external entities | XML external entities. Child of 'Exploit vuln'. | related-to | T1558.002 | Silver Ticket | |
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1558.002 | Silver Ticket |