Esc
Silver Ticket - T1558.002

(ATT&CK® Technique)
Definition

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1558002["Silver Ticket"] --> |may-access| KerberosTicket["Kerberos Ticket"]; class T1558002 OffensiveTechniqueNode;
        class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
        click T1558002 href "/offensive-technique/attack/T1558.002/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558002["Silver Ticket"] --> |may-create| KerberosTicket["Kerberos Ticket"]; class T1558002 OffensiveTechniqueNode;
        class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
        click T1558002 href "/offensive-technique/attack/T1558.002/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | KerberosTicket["Kerberos Ticket"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1558002["Silver Ticket"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";  CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | KerberosTicket["Kerberos Ticket"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1558002["Silver Ticket"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";  AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | KerberosTicket["Kerberos Ticket"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1558002["Silver Ticket"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";  CredentialRevocation["Credential Revocation"] -->
          | deletes | KerberosTicket["Kerberos Ticket"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1558002["Silver Ticket"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";  CredentialRotation["Credential Rotation"] -->
          | regenerates | KerberosTicket["Kerberos Ticket"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1558002["Silver Ticket"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";  TokenBinding["Token Binding"] -->
          | strengthens | KerberosTicket["Kerberos Ticket"];

          TokenBinding["Token Binding"] -.->
            | may-harden | T1558002["Silver Ticket"] ;
          class TokenBinding DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click TokenBinding href "/technique/d3f:TokenBinding";  Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | KerberosTicket["Kerberos Ticket"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1558002["Silver Ticket"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";  Token-basedAuthentication["Token-based Authentication"] -->
          | uses | KerberosTicket["Kerberos Ticket"];

          Token-basedAuthentication["Token-based Authentication"] -.->
            | may-harden | T1558002["Silver Ticket"] ;
          class Token-basedAuthentication DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication";  CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | KerberosTicket["Kerberos Ticket"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1558002["Silver Ticket"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";  ReissueCredential["Reissue Credential"] -->
          | restores | KerberosTicket["Kerberos Ticket"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1558002["Silver Ticket"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";  CredentialHardening["Credential Hardening"] -->
          | hardens | KerberosTicket["Kerberos Ticket"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1558002["Silver Ticket"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";
json