Active Directory · Term

What is a Silver Ticket?

A Silver Ticket is a forged Kerberos service ticket for one specific service, signed with that service account’s hash. It is narrower than a Golden Ticket but quieter, because it never contacts the Domain Controller. Here is what a Silver Ticket is and how to defend.

Active Directory · TermAll services
TL;DR

A Silver Ticket is a forged Kerberos service ticket (TGS) for one specific service, created with that service account’s password hash rather than the KRBTGT key. It grants access only to that one service (a file share, database, or host), but it is stealthier than a Golden Ticket because the attacker never asks the Domain Controller for the ticket. It requires the target service account’s hash, often obtained from a Kerberoast or an LSASS dump.

By John Dill, Red Team Lead, SecureLayer7Updated

What a Silver Ticket is

Where a Golden Ticket forges a TGT signed by KRBTGT, a Silver Ticket forges a service ticket (TGS) signed by the target service’s account hash.

That changes the trade-off. A Silver Ticket only opens the one service whose hash was used, not the whole domain. But because the attacker mints it locally and presents it straight to that service, the Domain Controller is never contacted, so the usual ticket-request logs do not appear. It is the surgical, low-noise forgery.

How it is forged and payload

The attacker needs the service account’s hash, then forges the service ticket:

  • Obtain the service-account hash (Kerberoast crack, or LSASS dump of a host running the service).
  • Forge the TGS for the target service: kerberos::golden /user:Administrator /domain:corp.local /sid:<SID> /target:host01.corp.local /service:cifs /rc4:<service-hash> /ptt (Mimikatz Silver Ticket)
  • Access the service (for example the file share) as the impersonated user.

Documented techniques shown for defensive context.

How to defend

  • Use strong, machine-managed service-account passwords (gMSAs) so the service hash cannot be cracked from a Kerberoast.
  • Protect host memory (Credential Guard, Protected Users) so service hashes are not dumped from LSASS.
  • Enable host-based monitoring, since the DC sees nothing; the service host is where evidence lives.
  • Limit service-account privilege so a forged ticket to one service is not also broad access.
  • Rotate service-account passwords to invalidate older forged tickets.

References

  1. [1]Microsoft: Kerberos Authentication Overview(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.