With a name like Silver Ticket, you might think it’s not as scary as its cousin the Golden Ticket – you’d be horribly mistaken. A Silver Ticket is just as nasty and invasive, and even stealthier.
Important technical note: Kerberos uses authentication tokens, or tickets, to verify identities of Active Directory entities. This includes users, service accounts, domain admins, and computers. All of those entities have a password in Active Directory (AD), even though you might not have actually created or changed it manually.
What is a Silver Ticket?
A Silver Ticket is a forged service authentication ticket.
A hacker can create a Silver Ticket by cracking a computer account password and using that to create a fake authentication ticket. Kerberos allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create Silver Tickets.
If you really want to deep dive into Kerberos authentication hacking, Sean Metcalf gave an excellent talk at BlackHat a few years ago. In the simplest terms, a Silver Ticket is a forged authentication ticket that allows you to log into some accounts.
Silver Tickets are harder to detect than Golden Tickets because there is no communication between the service and the DC – and any logging is local to the targeted computer.
Usually Kerberos tickets are verified by the 3rd party Privileged Account Certificate (PAC). Service accounts, for some reason, aren’t always checked, which is ultimately what makes this attack work. Services are low-level applications like CIFS, Windows Firewall, or Print Spooler.
With a Silver Ticket in hand, hackers can use a pass-the-ticket technique to elevate either their access or use the service’s privileges to obtain further access. While more limited than Golden Tickets, with a little modern ingenuity, an attacker can still use a Silver Ticket to do some major infiltration.
What Can Attackers Do With a Silver Ticket?
Let’s imagine that an attacker jacked your domain with a Golden Ticket. Despite best efforts to clean up after the attack, the attacker still has access to one computer, and they have PowerShell.
This is what can happen next:
- The attacker uses a couple of hacking tools to export the hash of a computer account password
- They crack the CIFS service account password to log into the CIFS service account
- With the CIFS service account, they steal the SYSVOL directory from C$
- They use the files in SYSVOL to access the HOST service account password hash
- They crack the HOST service account password
- Then they use the cracked service account to create a new scheduled task on the computer
- Which allows them to grab the hash of the KRBTGT account
- And then they create… Another Golden Ticket!
If you thought changing all the user passwords, all the service account passwords, and the KRBTGT password twice was enough to recover from the first Golden Ticket attack…now you get to do it all over again.
Another important technical note: This is a major oversimplification – if you want to play with this technique, you can do so on your own.
How to Defend Yourself from a Silver Ticket Attack
- Patch all servers and images for CVE-2014-6324
- This is the vulnerability that lets a Silver Ticket become a Domain Admin account
- Set all admin and service accounts to “Sensitive and cannot be delegated”
- This will prevent an attacker from lateral movement by delegating their hacked account to other services or computers
- Make sure that computer accounts are not members of administrator groups
- Change computer account passwords every 30 days
What is Kerberoast?
Kerberoast is a hacking tool that can crack a kerberos hash using brute force techniques. It can crack an NTLM hash in a few hours and provides the password stored in the hash as a result. Attackers use the cracked hash to progress their Silver Ticket attack.
How Varonis Can Stop Silver Ticket Attacks
Varonis gathers and analyzes activity data from Active Directory, data storage, and the perimeter defenses and analyzes all of this data to detect abnormal behavior and track behavior patterns that could be cyberattacks.
Varonis security analytics discover many kinds of attacks and alert on abnormal activity throughout the kill chain – including lateral movement and privilege escalation, which are key activities in a Silver Ticket attack.
Attackers will use computer accounts to access services or computers to gather data files or scout for their next foothold.
Varonis Threat Model: Abnormal computer behavior: computer account attempted to access a personal device for the first time
How it works: A computer account is trying to access a personal device, which is certainly not expected behavior of any computer account
What it means: This means that an attacker is using a computer account to move around the network, probably looking for greater privileges to steal
Where it works: Directory Services
To create the Silver Ticket, the attacker will need to use one of the aforementioned hacking tools. Varonis maintains a database of known hacking tools – and can alert you when an attacker accesses one of them.
Varonia Threat Model: Penetration testing and hacking tools accessed
How it works: Someone accessed a tool used by hackers or pentesters on monitored data storage. Attackers may use file servers to create Silver Tickets, and if they use a file that is in our database Varonis will trigger an alert.
What it means: 99.9% of users have no reason to run mimikatz or kerberoast. If someone is using tools like that on your data storage, it’s a good indication that there’s an attack in progress.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS
Since the attackers are using Silver Tickets, they will be using service accounts to gather data. Varonis is able to automatically discover accounts and categorize all accounts as user, service, privileged, or executive. Varonis analyzes activity for each of these categories differently and compares current activity to past behaviors.
Varonis Threat Model: Abnormal service behavior: access to atypical files
How it works: Service accounts are expected to repeat the same activity over and over again, so when service accounts access different data this alert is triggered.
What it means: Someone is using this service account incorrectly, and it could be an attacker.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, One Drive, Dell FluidFS
Getting notice of a potential attacker inside your network is key to preventing data breaches and responding to the cyberattack before they can steal data: Varonis can help investigate anomalies, reduce security vulnerabilities, and prevent future attacks.
Get a free risk assessment to see where you may be vulnerable to security breaches, including a Silver Ticket or pass-the-hash attack – and sign up for a 1:1 demo to see how to detect abnormal behavior that indicates an attack-in-progress, and defend against cybersecurity threats.