search
LinkedinTryHackme

Detecting Golden Tickets/Silver Tickets

hashtag
Golden Ticket

Golden Ticket attacks involve forging a Ticket Granting Ticket (TGT) to impersonate a domain administrator and gain full access to the domain. This attack is persistent and difficult to detect as it uses a valid, forged TGT that can be created offline by an attacker.

hashtag
Attack Steps

  1. Extract KRBTGT Hash: The attacker obtains the NTLM hash of the KRBTGT account, typically using DCSync or by dumping NTDS.dit and LSASS.

  2. Forge TGT: The attacker creates a TGT using the KRBTGT hash, granting themselves domain administrator privileges.

  3. Inject Forged TGT: The attacker injects this TGT into a logon session, enabling unauthorized access to domain resources.

hashtag
Detection Opportunities

Detection relies on identifying indicators such as:

  • DCSync activity: Monitoring for suspicious DCSync requests.

  • NTDS.dit or LSASS access: Sysmon Event ID 10 can help track LSASS access for hash extraction.

  • Pass-the-Ticket alerts: Golden Ticket use resembles Pass-the-Ticket behaviors.

hashtag
Example Splunk Query: Detecting Golden Tickets

Description: This search identifies Golden Ticket use by looking for Kerberos events without an associated Event ID 4768. These unlinked tickets may indicate forgery.

Timeframe: earliest=1690451977 latest=1690452262

index=main earliest=1690451977 latest=1690452262 source="WinEventLog:Security" user!=*$ EventCode IN (4768,4769,4770)
| rex field=user "(?<username>[^@]+)"
| rex field=src_ip "(\:\:ffff\:)?(?<src_ip_4>[0-9\.]+)"
| transaction username, src_ip_4 maxspan=10h keepevicted=true startswith=(EventCode=4768)
| where closed_txn=0
| search NOT user="*$@*"
| table _time, ComputerName, username, src_ip_4, service_name, category

hashtag
Silver Ticket

Silver Ticket attacks allow adversaries to create forged service-specific TGS tickets for targeted resources, providing limited access compared to Golden Tickets.

hashtag
Attack Steps

  1. Extract Service Account Hash: The attacker extracts the NTLM hash of a target service account (e.g., SQL Server).

  2. Forge TGS Ticket: Using the hash, the attacker creates a forged TGS ticket.

  3. Inject and Access: The attacker injects the forged ticket into a session to gain access to specific resources.

hashtag
Detection Opportunities

Detection focuses on:

  • New User Creation: Event ID 4720 can identify newly created accounts.

  • Privilege Assignments: Event ID 4672 helps monitor special logon privileges given to accounts, which may indicate suspicious access.

hashtag
Example Splunk Queries for Silver Ticket Detection

hashtag
Query 1: Comparing Created Users with Logged-in Users

Description: This search cross-references newly created users against recent logins to detect suspicious account activity.

User List Creation:

Logged-in Users Comparison:

Timeframe: latest=1690545656

hashtag
Query 2: Detecting Special Privileges on New Logon Events

Description: This search identifies accounts with special privileges assigned recently, indicating potentially unauthorized access using Silver Tickets.

Timeframe: latest=1690545656

hashtag
Summary

Golden Ticket and Silver Ticket attacks exploit the Kerberos authentication process to allow unauthorized access within a Windows Active Directory environment. Detection efforts focus on identifying anomalies in user logons, newly created accounts, and assigned privileges. By combining behavioral and event-based detections in Splunk, security teams can improve their ability to identify and respond to these advanced attacks.

PreviousDetecting Overpass-the-HashNextDetecting Unconstrained Delegation/Constrained Delegation Attacks

Last updated