Silver Ticket
What is Silver Ticket?
Silver TicketA forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
A Silver Ticket is a TGS forged offline using the NTLM or AES hash of a specific service account, such as a SQL Server, IIS, or CIFS principal. Because the ticket is signed by the service account itself and not by krbtgt, the attacker never talks to the KDC, leaving no Kerberos authentication events on the domain controller. The attacker can then access that single service as any user, including privileged ones, for the ticket's lifetime. MITRE ATT&CK classifies the technique as T1558.002 (Steal or Forge Kerberos Tickets: Silver Ticket). Mitigations include strong service-account passwords (gMSA), AES-only Kerberos, PAC validation, and monitoring service-side authentication logs for anomalies.
● Examples
- 01
Crafting a Silver Ticket for the MSSQL service of a database server to query data as an admin.
- 02
Forging a CIFS Silver Ticket to read files from a sensitive share without contacting the DC.
● Frequently asked questions
What is Silver Ticket?
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service. It belongs to the Attacks & Threats category of cybersecurity.
What does Silver Ticket mean?
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
How does Silver Ticket work?
A Silver Ticket is a TGS forged offline using the NTLM or AES hash of a specific service account, such as a SQL Server, IIS, or CIFS principal. Because the ticket is signed by the service account itself and not by krbtgt, the attacker never talks to the KDC, leaving no Kerberos authentication events on the domain controller. The attacker can then access that single service as any user, including privileged ones, for the ticket's lifetime. MITRE ATT&CK classifies the technique as T1558.002 (Steal or Forge Kerberos Tickets: Silver Ticket). Mitigations include strong service-account passwords (gMSA), AES-only Kerberos, PAC validation, and monitoring service-side authentication logs for anomalies.
How do you defend against Silver Ticket?
Defences for Silver Ticket typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- attacks№ 447
Golden Ticket
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.
- attacks№ 791
Pass-the-Ticket
An Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- attacks№ 583
Kerberoasting
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.