T1558.002SubTechniquecredential-accessagent-callable

T1558.002Silver Ticket

Sub-technique of T1558

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets) Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets) Password hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1558/002
  2. https://adsecurity.org/?p=2011
  3. https://adsecurity.org/?p=1515
  4. https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.