This note documents detection patterns related to Silver Ticket within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | LogonType 3 (Network) using Kerberos on target host without corresponding 4769 on DC is the strongest indicator. Silver tickets are presented directly to the service. |
| Security | 4769 | Kerberos service ticket request | Critical | Absence of 4769 for a service where access occurred is the key detection gap. Silver tickets bypass KDC, so no TGS request is logged. |
| Security | 4672 | Special privileges assigned | High | Forged PAC may include admin groups → immediate privileged session on target host. |
| Security | 5140 | Share accessed | Critical | SMB access (\\host\C$, ADMIN$) using Kerberos with no matching 4769 (cifs/SPN) strongly suggests silver ticket usage. |
| Security | 5145 | Detailed share access | High | Confirms file-level interaction after authentication. Combine with missing TGS for stronger signal. |
| System | 4 | Kerberos error (KRB_AP_ERR_MODIFIED) | High | Indicates service could not decrypt ticket → often failed silver ticket attempt (wrong key/SPN). |
| Security | 4688 | Process creation | High | Post-auth activity (e.g., cmd.exe, powershell.exe, psexecsvc.exe) immediately after Kerberos logon suggests lateral movement via forged ticket. |
| Sysmon | 1 | Process creation | High | Detection of tooling: mimikatz, rubeus, .kirbi, ptt, asktgs, s4u, /service:cifs, etc. |
| Sysmon | 3 | Network connection | Medium | Outbound connections to specific service hosts (445, 5985, 1433, 80/443) tied to suspicious Kerberos sessions. |
| Sysmon | 10 | Process access | High | LSASS access prior to ticket activity → potential credential/key extraction used to forge silver ticket. |
| Security | 4625 | Failed logon | Medium | May appear if attacker misuses forged ticket or attempts fallback authentication. |
| Security | 4770 | Ticket renewal | Low | Rarely seen in silver ticket scenarios → absence may reinforce anomaly chain. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Service authentication without KDC activity | 4624 on target host but no matching 4769 on DC | Critical | Core silver ticket detection pattern. No DC visibility → service-only authentication. |
| PAC privilege mismatch | User performs admin-level actions but AD shows no such membership | Critical | Forged PAC allows attacker to inject fake group SIDs (e.g., Domain Admins). |
| Service-scoped authentication only | User successfully accesses one service (CIFS/HTTP/MSSQL) but fails elsewhere | High | Silver tickets are tied to a specific SPN, not full domain trust like golden tickets. |
| Abnormal user-to-host relationship | User authenticates to server they never accessed before | High | Especially strong if from workstation instead of admin jump host. |
| Privileged activity immediately after logon | 4624 → 4672 → 4688 chain within seconds | Critical | Indicates attacker using forged PAC with elevated privileges. |
| Kerberos success + NTLM fallback patterns | Mixed Kerberos + NTLM behavior from same host/session | Medium | Attacker testing authentication paths or compensating for failed tickets. |
| KRB_AP_ERR_MODIFIED spikes | Repeated Kerberos decryption failures on specific server | High | Indicates incorrect ticket forging attempts or SPN/key mismatch. |
| Lack of full Kerberos chain | Missing 4768 → 4769 → 4624 sequence | Critical | Silver ticket breaks normal Kerberos flow — only final step observed. |
| Lateral movement without credential exposure | No password use but successful remote execution | High | Suggests ticket-based authentication (Pass-the-Ticket / Silver Ticket). |
| Inconsistent encryption types | Unusual TicketEncryptionType values (e.g., RC4 in modern AES env) | Medium | Attackers often rely on RC4 hashes for forging tickets. |
| Service log anomalies | IIS / MSSQL / WinRM logs show authenticated user without DC trace | High | Service accepts PAC without KDC validation. |
| Short-lived, targeted access bursts | Single-service access followed by quick execution and exit | High | Typical attacker behavior using forged ticket for specific objective. |
| Ticket injection artifacts | .kirbi files, ptt, memory injection patterns | High | Indicates manual ticket injection prior to service access. |
| Authentication succeeds but delegation fails | Service works but constrained delegation scenarios break | Medium | Forged ticket lacks proper delegation chain. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Creates forged Kerberos service tickets (Silver Tickets). |
| Rubeus | Generates and injects service tickets. |
| Impacket ticketer.py | Creates forged Kerberos tickets. |
| Kekeo | Kerberos manipulation toolkit. |
| Invoke-Mimikatz | PowerShell interface to Mimikatz. |
Relevant Artifacts
- Domain controller Security logs (4769, 4624)
- Service host logs (file server, SQL server, IIS)
- Sysmon logs (1, 3)
- Kerberos operational logs
- LSASS memory artifacts
- EDR telemetry identifying ticket forgery tools
- Network authentication telemetry
- Prefetch artifacts showing execution of Mimikatz or Rubeus
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1558.002 Silver Ticket
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify service ticket usage (4769) without corresponding TGT request.
- What host generated the event?
- Identify the workstation using forged service ticket.
- Is the account expected to perform this action?
- Investigate whether account normally accesses this service.
- Pivot:
- Source host → inspect execution of Mimikatz or Rubeus.
- Account → review privilege level and access patterns.
- Network → inspect service access logs for anomalies.
- Confirm exploitation
- Determine whether attacker forged service ticket using service account hash.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4769
| summarize count() by ServiceName, TargetUserName, IpAddress, bin(TimeGenerated, 5m)
SecurityEvent
| where EventID == 4624 and LogonType == 3
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
EQL
any where event.code == "4769"
Sigma
title: Suspicious Kerberos Service Ticket Activity
id: silver-ticket-detection
status: experimental
description: Detects abnormal Kerberos service ticket activity potentially indicating Silver Ticket abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
condition: selection
fields:
- TargetUserName
- ServiceName
falsepositives:
- Legitimate Kerberos service authentication
level: medium
tags:
- attack.credential_access
- attack.t1558.002
Splunk
# Kerberos logon on host with NO 4769
index=main source="WinEventLog:Security" EventCode=4624 Logon_Type=3 Authentication_Package=Kerberos
| eval user=lower(TargetUserName), src_ip=coalesce(IpAddress,Source_Network_Address)
| table _time host user src_ip Logon_ID
| join type=left user
[
search index=main source="WinEventLog:Security" EventCode=4769 earliest=-5m
| eval user=lower(mvindex(split(Account_Name,"@"),0))
| table _time user Service_Name
]
| where isnull(Service_Name)
# Kerberos logon WITHOUT prior 4768 (no TGT activity)
index=main source="WinEventLog:Security" EventCode=4624 Authentication_Package=Kerberos
| eval user=lower(TargetUserName)
| join type=left user
[
search index=main source="WinEventLog:Security" EventCode=4768 earliest=-10m
| eval user=lower(mvindex(split(Account_Name,"@"),0))
| table user
]
| where isnull(user)
# SMB Access 5140 with NO CIFS TGS
index=main source="WinEventLog:Security" EventCode=5140
| eval user=lower(Account_Name)
| table _time host ShareName user IpAddress
| join type=left user host
[
search index=main source="WinEventLog:Security" EventCode=4769 earliest=-5m
| eval user=lower(mvindex(split(Account_Name,"@"),0))
| search Service_Name="cifs/*"
| rex field=Service_Name "cifs/(?<host>[^@]+)"
| table user host
]
| where isnull(host)
# Kerberos logon immediately followed by privilege assignment
index=main source="WinEventLog:Security" EventCode IN (4624,4672)
| eval user=lower(coalesce(TargetUserName,SubjectUserName))
| stats values(EventCode) as events min(_time) as time by user host Logon_ID
| where mvfind(events,"4624")>=0 AND mvfind(events,"4672")>=0
# Kerberos error (bad forged ticket attempts)
index=main source="WinEventLog:System" EventCode=4 SourceName=Kerberos
| search "KRB_AP_ERR_MODIFIED"
| stats count by host
# Suspicious Kerberos tooling (Rubeus / Mimikatz)
index=main source="WinEventLog:Security" EventCode=4688
| eval cmd=lower(CommandLine)
| search cmd="*rubeus*" OR cmd="*mimikatz*" OR cmd="*kerberos::golden*" OR cmd="*ptt*" OR cmd="*.kirbi*"
| table _time host SubjectUserName New_Process_Name CommandLine
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Service account security | Rotate service account passwords regularly | Critical | Silver tickets rely on service account keys (NTLM/AES). Rotation instantly invalidates forged tickets. Prioritize high-value SPNs (CIFS, MSSQL, HTTP). |
| gMSA adoption | Use Group Managed Service Accounts (gMSA) | Critical | Automatically rotates strong passwords and prevents manual key exposure. Best defense for service accounts. |
| Kerberos hardening | Enforce AES-only Kerberos (disable RC4) | High | Attackers commonly use RC4 hashes for ticket forging. Forcing AES increases difficulty and reduces attack surface. |
| SPN hygiene | Audit and remove duplicate/misconfigured SPNs | High | Reduces risk of KRB_AP_ERR_MODIFIED confusion and limits attack surface for service impersonation. |
| PAC validation | Enable/ensure PAC validation where supported | High | Forces services to validate PAC with KDC, reducing trust in forged authorization data. Not universally enforced by default. |
| Least privilege | Minimize privileges of service accounts | High | Even if ticket is forged, blast radius is limited. Avoid Domain Admin or excessive group membership on service accounts. |
| Tiered admin model | Enforce admin tiering (Tier 0/1/2 separation) | Critical | Prevents service accounts from being used across trust boundaries (e.g., workstation → DC pivot). |
| Credential protection | Enable LSASS protections (RunAsPPL, Credential Guard) | High | Prevents dumping of service account hashes used to forge tickets. |
| Secrets management | Store service credentials in secure vaults (Key Vault, etc.) | High | Avoids plaintext or config-based credential leakage. |
| EDR / XDR monitoring | Detect Kerberos tooling (Rubeus, Mimikatz, Impacket) | High | Stops attack at ticket creation/injection stage before usage. |
| Endpoint hardening | Block LSASS access & suspicious memory reads | High | Prevents attackers from extracting keys required for silver ticket creation. |
| Kerberos telemetry | Monitor 4624 ↔ 4769 correlation gaps | High | Detects service usage without KDC visibility, the core silver ticket behavior. |
| Network segmentation | Restrict lateral movement paths (SMB, WinRM, MSSQL) | High | Limits where forged tickets can be used even if attacker succeeds. |
| Logging & retention | Ensure full DC + endpoint log coverage (4768/4769/4624) | Critical | Without full visibility, silver tickets become nearly invisible. |
| Time synchronization | Maintain strict time sync across domain | Medium | Prevents attackers abusing skew and avoids false positives in correlation logic. |
| Service isolation | Run services under dedicated accounts (not shared) | High | Reduces impact if one service account is compromised. |
| Disable unconstrained delegation | Avoid unconstrained delegation where possible | High | Reduces abuse paths tied to Kerberos trust relationships. |
| Constrained delegation auditing | Monitor and restrict delegation configurations | Medium | Prevents abuse chains combined with forged tickets. |
| Detection engineering | Build service-specific detections (CIFS, HTTP, MSSQL) | High | Silver tickets are SPN-specific, so detections must be too. |
| Incident response readiness | Playbooks for rapid service account reset | Critical | Fast response = immediate invalidation of attacker access. |