The Silver ticket attack

A Silver Ticket attack starts by compromising a specific service or application

running within an enterprise. Attackers grab the password hash of the Kerberos
service account from the local computer SAM database, then crack it offline to
obtain the unencrypted password for the service. They can then run code on the
compromised machine in the SYSTEM context and forge a Kerberos ticket that can
authenticate to targeted service without authenticating with the Domain Controller
(in most environments using Privileged Attribute Certificate, PAC is often
disabled).

It is much easier for attackers to target Silver Tickets because they don’t require any
privileged accounts. It is also harder to detect a Silver Ticket attack because
compromising a silver ticket does not need interaction with the Domain Controller.
Once attackers obtain a Silver Ticket, they can use it as a steppingstone to elevating
privileges to Domain Administrator. Because attackers can compromise the domain
completely with stealthier techniques using Silver Tickets, organizations must find
ways to protect them within their infrastructure.

It is apparent why these advanced techniques commonly occur in large-scale

attacks. For example, in Ryuk and Darkside ransomware incidents, attackers used
Golden and Silver Ticket attacks to move laterally, deploying ransomware on
numerous systems. In another attack, the Netwalker ransomware compromised a
domain controller and deployed ransomware on all domain-joined systems within
60 minutes.
This presentation from Blackhat described these attacks. In his blog on Detecting
Forged Kerberos Ticket, Sean Metcalf documented several ways to detect and
mitigate these attacks. However, most of these methods are manual and don’t scale
in the real world.

Silver ticket attack in action

You just need to get a service account hash or in this case a machine
account hash to forge a ticket. To get the hashes i will load mimikatz on
a system and use this command to get the hashes. This is explained in
details on the golden ticket post. In short we loaded mimikatz on the
admin session and used the lsadump module to dump all the hashes on
the system.
SILVER TICKET DETECTION
Silver Ticket events may have one of these issues:

 The Account Domain field is blank when it should be DOMAIN

 The Account Domain field is DOMAIN FQDN when it should
be DOMAIN.
 Event ID: 4624 (Account Logon)
 Account Domain is FQDN & should be short domain name
 Account Domain:        LAB.ADSECURITY.ORG   [ADSECLAB]
Event ID: 4634 (Account Logoff)
 Account Domain is blank & should be short domain name
 Account Domain:        _______________   [ADSECLAB]
Event ID: 4672 (Admin Logon)
 Account Domain is blank & should be short domain name
 Account Domain:        _______________   [ADSECLAB

Oussama khelifa baghdouche

Bougetaia mokhtar
Akram chiboub