T1558.002: Silver Ticket
| View on MITRE ATT&CK | T1558.002 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Password Policies
Set and enforce secure password policies for accounts.How to detect this technique
MITRE ATT&CK Data Components
Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.