Detect Silver Ticket Attacks — Forged Kerberos Service Tickets

MITRE ATT&CK

Security Relevance

Silver Tickets are stealthier than Golden Tickets because they bypass the KDC entirely. In a Golden Ticket attack, the forged TGT still generates Event 4769 on the DC when the attacker requests a service ticket. A Silver Ticket skips that step — the forged TGS is presented directly to the target service, which validates it using its own service account key without consulting the DC. The result: no DC security logs during the actual attack. Detection relies on anomaly analysis of logon events on member servers (4624), group membership anomalies (4627), and forensic artifacts like RC4 encryption on AES-enforced domains. Silver Tickets are limited to a single service/host, but that scope is often enough — a CIFS Silver Ticket grants full file share access; an MSSQL ticket grants database access; a HOST ticket enables full remote execution via WMI and Task Scheduler.

Indicators of Malicious Use

• ⚑Event 4624 Type 3 Kerberos logon on a service host where the AuthenticationPackageName or LmPackageName shows RC4 (NTLM) and your domain enforces AES256 — strongest single indicator
• ⚑Event 4627 on the target host showing group SIDs inconsistent with the account's actual AD group membership — the forged PAC can include arbitrary groups including Domain Admins
• ⚑No matching Event 4769 on the DC for the session that generated a 4624 on the member server — Silver Ticket used directly at the service host, never contacted the KDC
• ⚑Event 4688 or 4104: kerberos::golden /service:, Rubeus.exe silver, impacket ticketer.py — explicit Silver Ticket generation commands
• ⚑Event 4769 on DC with RC4 encryption (0x17) for the service account SPN — the attacker Kerberoasted the service account to obtain the hash before forging the ticket
• ⚑Event 4624 on a service host for an account name that does not exist in Active Directory — Silver Tickets can specify arbitrary account names in the forged PAC
• ⚑Logon to a sensitive service (MSSQL, CIFS on DC, LDAP) from a source IP that has no prior authentication history to that service or host

Example Log Entry

-- Step 1: Attacker Kerberoasts the target service account --

Event ID: 4769 — Kerberos Service Ticket Operations
  Account Name:      attacker@CORP.LOCAL
  Service Name:      MSSQLSvc/sql01.corp.local:1433
  Ticket Options:    0x40810000
  Ticket Encryption: 0x17 (RC4-HMAC)  ← offline crackable with hashcat
  Client Address:    ::ffff:10.10.5.22

[Hours later — attacker cracks the MSSQL service account hash offline]

-- Step 2: Attacker uses the hash to forge a Silver Ticket and access SQL --

Command: Rubeus.exe silver /service:MSSQLSvc/sql01.corp.local:1433
         /rc4:<cracked_hash> /user:DomainAdmin /domain:corp.local
         /sid:S-1-5-21-... /ptt

Event ID: 4624 — Logon on SQL01 (member server — NOT the DC)
  Account Name:      DomainAdmin          ← forged identity in ticket
  Logon Type:        3 (Network)
  Authentication:    Kerberos
  Source IP:         10.10.5.22

Note: No Event 4769 appears on the DC for this session —
the forged TGS was presented directly to SQL01, bypassing the KDC.

Investigation Steps

1. 1.Check for 4769 on the DC for the same service SPN in the hours or days before the suspicious 4624. If a Kerberoasting event (4769 with RC4 encryption) targeted this service account, you've identified the hash acquisition step — the Silver Ticket was built from that cracked credential.
2. 2.On the target member server, examine Event 4627 (group membership information returned during logon) for the suspicious session. If the group SIDs don't match the account's actual AD group membership, the PAC was forged — definitive Silver Ticket evidence.
3. 3.Verify the account name in Event 4624 exists in Active Directory. Silver Tickets can specify any account name; a non-existent account is unambiguous proof of a forged ticket.
4. 4.Cross-correlate: does a 4769 (service ticket request) for this SPN appear on the DC within the expected preceding window? Absence of 4769 for a service that just logged a successful 4624 means the KDC was bypassed — strong Silver Ticket indicator.
5. 5.Check the encryption type on Event 4624. If your domain enforces AES256 (via 'Network security: Configure encryption types allowed for Kerberos' GPO) and the logon shows RC4, the ticket was forged using an NTLM hash — Mimikatz and Rubeus default to RC4 for Silver Tickets.
6. 6.Search Event 4688 (process creation) and 4104 (PowerShell) on the attacker's likely origin host for Mimikatz (kerberos::golden /service:), Rubeus silver, or impacket ticketer.py. These tools have distinct command-line signatures.
7. 7.Determine scope: which services were accessed? A CIFS Silver Ticket accesses file shares; HOST grants WMI/WinRM/Task Scheduler execution; MSSQL grants database access; HTTP/WSMAN grants web app or remote management access. Each SPN targeted represents a separate compromise scope.
8. 8.Rotate the affected service account password immediately — this invalidates all forged Silver Tickets for that SPN. Unlike Golden Ticket remediation (which requires double krbtgt reset), Silver Ticket invalidation is a single service account password change.

Common False Positives

• ◎RC4 Kerberos logons on member servers are not exclusively Silver Tickets — older Windows systems, some printers, and misconfigured services still negotiate RC4. The pattern that matters is RC4 + unexpected account + no DC-side 4769 + anomalous group membership (4627).
• ◎Some legitimate services request Kerberos tickets with unusual encryption types or option flags for compatibility reasons. Verify against a known baseline of encryption types used by that service before concluding a ticket is forged.
• ◎Red team engagements and authorized penetration tests generate Silver Tickets during Kerberoasting exercises. Confirm the source IP is in scope before escalating.
• ◎What is the difference between a Silver Ticket and Kerberoasting? Kerberoasting (4769 with RC4) is the hash acquisition step — it requests a legitimate service ticket to crack offline. The Silver Ticket is the exploitation step — using the cracked hash to forge a new ticket with arbitrary privileges. Kerberoasting alone is not a Silver Ticket attack.

Remediation

• ✓Rotate the compromised service account password immediately — a single password change invalidates all forged Silver Tickets for that service's SPN. Unlike Golden Ticket remediation, you do not need a double reset.
• ✓Audit all Kerberoastable accounts: service accounts with SPNs registered and password age > 90 days are Silver Ticket prerequisites. Run Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties PasswordLastSet and rotate stale passwords.
• ✓Enable AES256 Kerberos encryption and disable RC4: set 'Network security: Configure encryption types allowed for Kerberos' to AES128/AES256 only. Mimikatz and Rubeus default to RC4 for Silver Tickets — disabling RC4 forces forged tickets to use AES, which requires the AES key rather than the NTLM hash (significantly harder to obtain via Kerberoasting).
• ✓Use Group Managed Service Accounts (gMSA) for all service accounts — gMSA passwords are 240-character random strings auto-rotated by AD every 30 days, making Kerberoasting the hash computationally infeasible to crack in time.
• ✓Enable PAC validation on sensitive services: the KDC Validation registry key on service hosts forces services to validate the PAC with the DC on each logon. This catches forged PAC data at the cost of additional DC load. Apply to high-value service hosts first (MSSQL, file servers, LDAP-consuming applications).
• ✓Deploy Microsoft Defender for Identity — it detects Kerberoasting (the prerequisite step) and anomalous ticket usage patterns including Silver Ticket indicators via behavioral baselines of Kerberos traffic.
• ✓Remove unnecessary SPNs: audit registered SPNs with setspn -Q */* and remove those for decommissioned services. Unnecessary SPNs create additional Silver Ticket attack surface from legitimate-looking but unmonitored accounts.

Related Event IDs

Related Detection Guides

Frequently Asked Questions

What is the difference between a Silver Ticket and a Golden Ticket?

A Golden Ticket forges a Ticket Granting Ticket (TGT) using the krbtgt account hash — it grants access to any service in the domain and generates Event 4769 on the DC when the attacker later requests service tickets. A Silver Ticket forges a Ticket Granting Service ticket (TGS) using a specific service account's hash — it only works for that one service but never contacts the DC during use, leaving no DC-side authentication logs. Silver Tickets are narrower in scope but significantly harder to detect.

How does an attacker get the service account hash for a Silver Ticket?

The most common method is Kerberoasting: any authenticated domain user can request a service ticket (4769) for any SPN. Windows returns the ticket encrypted with the service account's hash, which can be cracked offline with hashcat. Other sources: NTDS.dit extraction via DCSync or volume shadow copy, LSASS memory dumping, or obtaining the hash from a previously compromised host where the service account authenticated.

Why is Silver Ticket harder to detect than Golden Ticket?

During a Golden Ticket attack, the attacker still requests service tickets (4769) from the DC when accessing services — those events appear in DC security logs. A Silver Ticket bypasses the DC entirely: the forged TGS is presented directly to the target service, which validates it using its own copy of the service account key without contacting the KDC. No 4768 TGT request, no 4769 service ticket request appears on the DC during the attack. Detection relies on anomaly analysis of member server logon events (4624) and group membership data (4627).

Does rotating the krbtgt password fix a Silver Ticket?

No. Silver Tickets are forged using the service account's hash, not the krbtgt hash. Resetting the krbtgt password (used for Golden Ticket remediation) has no effect on Silver Tickets. The correct remediation is to rotate the password of the specific compromised service account — this invalidates all forged Silver Tickets for that SPN immediately, without any double-reset requirement.