Silver Ticket Attack

Bart Lenaerts-Bergmans - December 23, 2022

Malicious actors are always trying to find ways to breach security for their own gain. To achieve this, many target the authentication process within network security. By forging or altering credentials for their own use, attackers gain access to a business’s private information.

One method of gaining this authentication is a silver ticket attack. Similar to a golden ticket attack, a silver ticket attack compromises credentials by taking advantage of the Kerberos protocol. Preventing and responding to silver ticket attacks is an important security measure every business should take.

What is a Silver Ticket Attack?

A ticket in cybersecurity terms is a number created by a network server as proof of authentication or authorization. A silver ticket is a forged authentication ticket often created when an attacker steals an account password. Silver ticket attacks use this authentication to forge ticket-granting service tickets. A forged service ticket is encrypted and enables access to resources for the specific service targeted by the silver ticket attack.

What a silver ticket attack shares with other types of ticket attacks is the abuse of the Kerberos vulnerability. This is called Kerberoasting, and it harvests password hashes for Microsoft Active Directory user accounts by exploiting Kerberos, a network security protocol that authenticates service requests using secret-key cryptography. In addition to the silver ticket, golden ticket and diamond ticket attacks also take advantage of this vulnerability.

The diamond ticket attack can decrypt and re-encrypt a genuine ticket granting ticket for the attacker’s use. A golden ticket attack gives an attacker full access to the target domain. Silver tickets are more specific in their use but are still a dangerous tool for malicious attackers.

How Silver Ticket Attacks Work

To execute a silver ticket attack, an attacker needs to already have control of a compromised target in the system environment. This initial compromise can come in any form of cyberattack or malware. Once the attacker has a way in, a silver ticket attack follows a step-by-step process to forge authorization credentials.

Step 1. Gather information about the domain and the targeted local service. This involves discovering the domain security identifier and the DNS name of the service the attack is intended for.

Step 2. Use a tool to obtain the local NTLM hash, or password hash, for the Kerberos service. An NTLM hash can be gathered from the local service account or security account manager of a compromised system.

Step 3. Obtain the unencrypted password from the NTLM hash using Kerberoasting.

Step 4. Forge a Kerberos ticket granting service, which allows the attacker to authenticate their targeted service.

Step 5. Use the forged tickets for financial gain or to further corrupt a system, depending on the attacker’s objective.

Once the attacker obtains the forged silver ticket, they can run code as the targeted local system. They can then elevate their privileges on the local host and start moving laterally within the compromised environment or even create a golden ticket. This gives them access to more than the originally targeted service and is a tactic for avoiding cybersecurity prevention measures.

Preventing Silver Ticket Attacks

So how do you prevent credential dumping attacks such as the silver ticket attack? You can either stop attackers from being able to retrieve the password information or limit the access a forged ticket can provide. To prevent Kerberoasting from being successful, you can have developers write software to encrypt data held in memory. You can also build methods that clear sensitive information such as stored passwords on a frequent basis.

If you enforce a user least privilege model to restrict administrator access and limit the number of domain admin accounts, you can prevent silver ticket attacks from escalating. By auditing and strengthening service accounts, you can make sure passwords are harder to find and not shared across a network. Finally, make sure to validate the Kerberos protocol, ensuring tickets were issued by the legitimate key distributor.

The Kerberos protocol remains one of the most secure verification protocols using cryptography, secret keys, and third-party authorization. Preventing and responding to a Kerberos silver ticket is a necessity for staying secure against attackers.

Mitigating and Responding to Silver Ticket Attacks

Silver ticket attacks can be dangerous because they can lead to compromise of your Active Directory security. If an attacker gains access to the Active Directory, they can bypass most cybersecurity measures. How you respond to a silver ticket attack can determine how well you mitigate the consequences for your business.

After a silver ticket attack has taken place, an immediate response from your cybersecurity team is needed. This response should involve asking several questions, and shoring up security measures based on the answers:

  •   How did an attacker access the network initially? Was it a phishing attack or some other breach of security?
  •   What accounts were targeted by the attacker? Are the security measures on these accounts in line with other accounts across the business?
  •   What information did the attacker gain access to? What are the consequences of this information being in the hands of a malicious actor?
  •   What assets have been compromised? Was the attack limited to the initially targeted service, or has the Active Directory been accessed?

Once the answers to these questions are known, the cybersecurity team can begin to take countermeasures. Other ways to mitigate the damage of a silver ticket attack include the following:

  •  Enable privileged attribute certificate validation of Kerberos. This can assist with the prevention and detection of silver tickets.
  •  Use a password service to create unique passwords that are random and strong. For example, a minimum of 30 characters and changing passwords frequently.
  •  Don’t allow any user to have administrative privileges across security boundaries. This prevents a silver ticket attack from escalating by leaving the initially targeted service.

By taking appropriate action, your business can prevent most silver ticket attacks and respond quickly to those you discover.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.