Silver Ticket Attack: What It Is and How to Defend

Malicious actors are constantly seeking ways to bypass authentication mechanisms for unauthorized access. One common tactic is exploiting vulnerabilities in authentication protocols like Kerberos, which is widely used for network security in Microsoft Active Directory (AD) environments.

A silver ticket attack is a post-exploitation attack where an adversary forges a Kerberos service ticket (TGS) to access specific services without needing reauthentication by the domain controller. Unlike a golden ticket attack, which grants full domain control, a silver ticket attack is more targeted, allowing adversaries to abuse a specific service account while bypassing certain security controls. Preventing and detecting silver ticket attacks is critical to securing an organization's Active Directory infrastructure.

What is a silver ticket attack?

In Kerberos authentication, a "ticket" is a cryptographic token issued by the Key Distribution Center (KDC) to authenticate users and grant them access to services.

A silver ticket is a forged service ticket that allows an attacker to authenticate directly to a service without interacting with the KDC. These forged tickets are encrypted using the service account's password hash, making it possible to access the targeted service without a valid Ticket Granting Ticket (TGT).

Unlike golden ticket attacks, which compromise the Kerberos Ticket Granting Ticket (KRBTGT) account hash (granting domain-wide persistence), silver ticket attacks exploit individual service account hashes, making them harder to detect and often more stealthy.

Key differences between Kerberos ticket attacks

How silver ticket attacks work

To execute a silver ticket attack, an attacker must already have local administrator access on a compromised machine and obtain the NTLM hash of the targeted service account. The attack follows these steps:

1. Gather information: The attacker collects domain details such as the Domain Security Identifier (SID) and the DNS name of the target service.
2. Obtain the NTLM hash: The attacker extracts the NTLM hash of a service account, often from a misconfigured service running with high privileges. This can be achieved through credential dumping techniques using tools like Mimikatz.
3. Forge a service ticket (TGS): The attacker creates and encrypts a fake service ticket using the stolen service account hash, allowing authentication to the target service.
4. Use the forged ticket: The attacker presents the forged TGS to the service, gaining access without ever needing a Ticket Granting Ticket (TGT) from the domain controller (DC).
5. Escalate privileges & move laterally: Attackers can use silver ticket access to execute code as the service account, escalate privileges on the local system, or pivot to further compromise the environment.

Preventing silver ticket attacks

To prevent silver ticket attacks, organizations must focus on securing service accounts and monitoring abnormal authentication behaviors to detect and mitigate potential threats.

1. Secure active directory

Implementing the Principle of Least Privilege ensures that service accounts only have the minimum permissions required to function, reducing the risk of exploitation. Monitoring service account activity allows organizations to detect unusual behavior, such as unexpected logins or unauthorized access attempts. Regularly rotating service account passwords further reduces the likelihood of attackers maintaining persistent access. Additionally, hardening the KRBTGT account—while not directly involved in silver ticket attacks—helps limit lateral movement and domain-wide compromise.

2. Reduce the risk of credential theft

To minimize credential theft, organizations should enforce multi-factor authentication for privileged accounts, making it significantly harder for attackers to leverage stolen credentials. Limiting the use of service accounts by avoiding the execution of unnecessary services with elevated privileges also reduces exposure. Using Managed Service Accounts is another effective strategy, as these accounts automatically rotate passwords, eliminating the need for manual password management and lowering the risk of compromise.

3. Detect and respond to silver ticket attacks

Detecting a silver ticket attack requires continuous monitoring of Kerberos authentication activity. Security teams should look for anomalous service ticket (TGS) activity, such as unusually long-lived or reused tickets, which may indicate an attack in progress. Inspecting authentication logs for logons from service accounts at unexpected times or locations can provide early warning signs of compromise. Behavioral analytics solutions can help identify irregular authentication patterns that deviate from normal user behavior. Finally, leveraging real-time identity protection tools, such as CrowdStrike Falcon® Identity Protection, enables continuous monitoring and automated response to suspicious Kerberos ticket activity, ensuring faster threat detection and mitigation.

By implementing proactive security measures, continuously monitoring service account usage, and utilizing advanced identity protection solutions, organizations can effectively prevent, detect, and mitigate silver ticket attacks before they escalate into full-scale security incidents.

Mitigating and responding to silver ticket attacks

Silver ticket attacks are dangerous because they bypass domain controller validation and enable stealthy privilege escalation. If an attack is detected, organizations must act quickly to contain the threat.
Incident response steps

1. Identify the affected service account: Review logs to determine which service account was used in the attack.
2. Reset the compromised service account password: This invalidates forged silver tickets tied to that account.
3. Analyze lateral movement: Determine whether attackers escalated privileges or compromised additional systems.
4. Harden authentication mechanisms: Ensure MFA is enforced for privileged users and that service account permissions are minimal.
5. Investigate root cause: Determine how the attacker obtained initial access to prevent future breaches.

Additional countermeasures:

• Enable Privileged Attribute Certificate (PAC) validation: Prevents attackers from modifying Kerberos ticket attributes.
• Implement strong password policies: Use random, long passwords for service accounts and change them frequently.
• Restrict administrative privileges: Prevents attackers from escalating silver ticket access into full domain compromise.

By strengthening identity security, monitoring authentication activity, and enforcing least privilege, organizations can prevent, detect, and mitigate silver ticket attacks before they escalate into full-scale domain compromises.

Securing the attack surface with CrowdStrike

A silver ticket attack is a powerful technique attackers use to maintain access to an enterprise environment. Because it exploits a fundamental weakness in Kerberos authentication, prevention requires a multi-layered security approach, combining identity protection, strong AD security, behavioral detection, and proactive threat hunting.

Unify detection and response across your security stack with CrowdStrike Falcon® XDR™ and Falcon® Identity Protection to detect and mitigate advanced identity-based threats.