Find sigma rule
Attack: Steal or Forge Kerberos Tickets: Silver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
MITRE
Tactic
- credential-access
technique
- T1558.002
Test : Crafting Active Directory silver tickets with mimikatz
OS
- windows
Description:
Once the hash of service account is retrieved it is possible to forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
Executor
powershell
Sigma Rule
-
win_alert_mimikatz_keywords.yml (id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)
-
proc_creation_win_lolbin_replace.yml (id: 9292293b-8496-4715-9db6-37028dcda4b3)
-
posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_detect_vm_env.yml (id: d93129cd-1ee0-479f-bc03-ca6f129882e3)
-
file_event_win_hktl_powerup_dllhijacking.yml (id: 602a1f13-c640-4d73-b053-be9a2fa58b96)
-
proc_creation_win_hktl_execution_via_imphashes.yml (id: 24e3e58a-646b-4b50-adef-02ef935b9fc8)