The Silver Ticket attack involves gaining access to resources in a network using forged authentication tickets. It's equally damaging as the Golden Ticket attack. Using a silver ticket, an attacker can create multiple ticket granting service (TGS) tickets for a specific service without establishing communication with a domain controller (DC) in a network. In this blog, we'll discuss:
To create a silver ticket, which can authenticate service requests illicitly, the attacker must get the password hash and the service principal name (SPN) of the targeted service account along with domain details such as the domain name and the domain SID.
Let's assume an attacker has compromised an end-user account in your network.
Installs malicious software, such as Mimikatz, to steal the password hash and SPN of the service account.
Executes the following command:
Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit
to compromise a service account with sensitive information.
Creates the silver ticket using the obtained information. For example:
Injects the created silver ticket into the cmd.exe session. Here's how a silver ticket looks:
mimikatz “kerberos::golden /admin:Tom /id:1106 /domain:solutions.org /sid:S-1--67-7652348760-657943776-7675675989 /target:server.solutions.org /rc4:w4e68i0507gv078aj89fn65nh6n76g45 /service:cifs /ptt” exit
This silver ticket can now be used to request access to resources using usernames that don't exist in your network, making it difficult for you to detect the adversary.
You should monitor your network events constantly to identify the following anomalies:
First-time resource access requests by a user account
Anomalous behavior from privileged user accounts
Multiple and continuous accesses to a specific service
Threats detected by antivirus software
Accumulation of data at endpoints indicating potential data exfiltration attempts
Unusual user behavior, such as requesting access to resources during unusual hours
Detecting the indicators of compromise (IoCs) of a Silver Ticket attack in your network at its initial stage can help you contain the attack. Because communication with the DC won't be detected, you need to constantly track the events occurring on the host level and analyze the log data to spot suspicious events. To do this, use a tool capable of searching, analyzing, and detecting malicious activities in individual hosts and correlating them as one incident. A security information and event management (SIEM) solution with log management, event correlation, and user and entity behavior analytics capabilities can help you detect the IoCs of a Silver Ticket attack easily.
If you want to see these features in action, download a 30-day, free trial of Log360, a ManageEngine SIEM solution.
To remediate a Silver Ticket attack, you must change the service account password twice. This is because Active Directory stores the current and previous passwords of an account. You can remotely reset the passwords of the infected systems by executing the Reset-ComputerMachinePassword command in PowerShell. Ensure that all the infected systems are communicable when the process is initiated; if not, you may have to check for other infected systems and reset their passwords so no loopholes are left open for the attackers.
After eliminating the vulnerabilities from your network, perform patch management to keep attackers at bay. Revisit the permissions of user accounts, and make sure that you've adopted the principle of least privilege while assigning roles and permissions to users.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
