Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
Silver ticket attacks are sophisticated. An attacker must have service account ciphertext to forge a silver ticket, which enables an attacker to access a targeted service with elevated privileges.
Category
Kerberos is an authentication protocol that creates tickets encrypted with account keys to verify identity and permissions. A ticket contains user, computer, or service account credentials that are encrypted with a cipher algorithm. Every domain controller (DC) in an Active Directory (AD) domain has a Kerberos Key Distribution Center (KDC) service for issuing ticket-granting tickets (TGTs) and a ticket-granting service (TGS) for creating service tickets. These tickets act as a cryptographic proof of identity. A user must have valid TGT and service tickets to access services such as file shares, printers, and databases. A valid service ticket is encrypted with a service account key. If an attacker manages to steal a service account key (1), the attacker can bypass the service ticket to create a forged service ticket, which is known as a silver ticket. A silver ticket is created by running a command in a Windows exploit tool, such as Mimikatz or Impacket (2). The silver ticket is encrypted with the stolen account key and might include fake domain administrator credentials. When the attacker wants to access a service, they send a Kerberos AP_REQ message with the silver ticket to the service (3). The service trusts the silver ticket and gives access to the attacker posing as a domain administrator.
Change passwords for the affected service
Change passwords for the KRBTGT account and all service and client accounts if there is evidence that additional services are under attack
Implement strict login controls on devices with highly privileged users, which reduces the exposure of credentials stored in memory to attackers
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
