T1558.002: Silver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.[1]
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.[2]
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
Analyst context for executives and security teams
Silver Ticket is a Windows Kerberos credential-access technique where an adversary with a target service account password hash can forge service tickets for a specific resource such as MSSQL or SharePoint. Its business significance is that the abuse can be narrower than a domain-wide Golden Ticket but harder to see if monitoring depends only on the Key Distribution Center, because forged service tickets may be created without KDC interaction.
Executive priority
Prioritize this where Windows domain services rely on high-value service accounts. Leaders should ask whether service account hashes are protected, whether privileged/service account use is logged and reviewed, and whether detection can connect service access to legitimate Kerberos activity. This is especially relevant for identity assurance, incident response scoping, audit evidence around privileged account control, and continuity of critical Windows-hosted applications.
Technical view
For SOC and IR teams, validate coverage around T1558.002 as part of the broader Steal or Forge Kerberos Tickets technique. The key defensive question is not only whether Kerberos ticket requests are logged, but whether teams can identify suspicious service access when no corresponding KDC interaction is observed. Use the DET0241 relationship as the ATT&CK detection-strategy anchor, and correlate with precursor evidence for OS Credential Dumping or Kerberoasting where available. Also account for related software relationships: Mimikatz, Empire, AADInternals, and Rubeus are listed as using this technique, so endpoint and scripting telemetry can provide important context.
Likely telemetry
- Windows Kerberos authentication and service-access records for domain resources such as database or collaboration services
- KDC/TGS request logs or equivalent identity-provider telemetry to compare expected ticket issuance with service access
- Service account logon and privileged account activity logs
- Endpoint process execution and command-line telemetry on Windows systems
- PowerShell activity where relevant to related tooling such as Empire or AADInternals
Detection direction
- Do not rely solely on KDC-side Kerberos request visibility; the ATT&CK description notes Silver Tickets can be created without KDC interaction.
- Validate DET0241-aligned analytics for forged Kerberos Silver Ticket behavior in the local Windows domain environment.
- Correlate access to a specific service with whether a legitimate TGS request was observed for that account, service, and timeframe.
- Tune for the fact that Silver Ticket scope is service-specific; detection should focus on sensitive service accounts and high-value resources rather than only domain-wide anomalies.
- Use related-tool telemetry as context, but avoid treating tool names alone as proof of Silver Ticket use without Kerberos/service-access evidence.
Mitigation priorities
- Strengthen privileged and service account management per M1026: enforce least privilege, restrict service account scope, monitor privileged use, and maintain accountability through logging and auditing.
- Apply strong password policy controls per M1027 to reduce the likelihood that service account credentials or hashes remain useful for long periods.
- Protect sensitive information per M1041 where applicable, especially credential material and systems that store or process service account secrets.
- Prioritize service accounts tied to critical Windows-hosted resources such as databases or collaboration platforms.
- During IR, rotate or otherwise invalidate affected service account credentials when evidence indicates a service account hash may be compromised, following local change-control requirements.
Analyst notes and limits
ATT&CK provides no official detection text for this object, but it does provide a detection-strategy relationship, mitigation relationships, related software, and key behavioral constraints. The most decision-useful point is the KDC visibility gap: service-side and endpoint evidence matter because forged TGS tickets may not create normal KDC request telemetry.
This take is based only on the supplied ATT&CK fields, references, and relationships. It does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Exact event IDs, vendor detections, and response playbooks require local Windows domain architecture, logging configuration, service account inventory, and SIEM/EDR capability review.
Silver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.[1]
Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.[2]
Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | This object subtechnique of Steal or Forge Kerberos Tickets. |
Groups, software, and campaigns
S1071: Rubeus
S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
S0002: Mimikatz
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 480a8b7f1e22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ADSecurity Silver Tickets
Sean Metcalf. (2015, November 17). How Attackers Use Kerberos Silver Tickets to Exploit Systems. Retrieved February 27, 2020.
Open source URL -
[2]
ADSecurity Detecting Forged Tickets
Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
Open source URL -
[3]
Medium Detecting Attempts to Steal Passwords from Memory
French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
Open source URL -
[4]
mitre-attack T1558.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.