T1558.002 IBM QRadar · QRadar

Detect Silver Ticket in IBM QRadar

Adversaries who have obtained the NTLM password hash of a target service account may forge Kerberos Ticket Granting Service (TGS) tickets, known as silver tickets. Silver tickets are more limited in scope than golden tickets — they only grant access to a specific service on a specific host — but are significantly harder to detect because they bypass the Key Distribution Center (KDC) entirely, generating no KDC-side authentication logs. Service account hashes are typically obtained via OS Credential Dumping (T1003) or Kerberoasting (T1558.003). Common tooling includes Mimikatz (kerberos::silver), Rubeus (silver), and Empire/Invoke-Mimikatz. AADInternals can forge tickets using the AZUREADSSOACC account hash to attack Azure AD Seamless SSO.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.002 Silver Ticket
Canonical reference
https://attack.mitre.org/techniques/T1558/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  eventid AS WindowsEventID,
  QIDNAME(qid) AS EventDescription,
  CASE
    WHEN eventid IN ('4688', '1') THEN 'Tool Execution'
    WHEN eventid = '4769'        THEN 'Kerberos RC4 Anomaly'
    ELSE 'Unknown'
  END AS DetectionMethod,
  CASE
    WHEN eventid IN ('4688', '1') THEN 'Critical'
    WHEN eventid = '4769'         THEN 'High'
    ELSE 'Unknown'
  END AS RiskLevel,
  UTF8(payload) AS RawPayload
FROM events
WHERE
  (
    /* Method 1: Silver ticket tool execution — Security 4688 or Sysmon 1 */
    (
      eventid IN ('4688', '1')
      AND (
        UTF8(payload) ILIKE '%mimikatz%'
        OR UTF8(payload) ILIKE '%rubeus.exe%'
        OR (
          (
            UTF8(payload) ILIKE '%powershell.exe%'
            OR UTF8(payload) ILIKE '%pwsh.exe%'
          )
          AND (
            UTF8(payload) ILIKE '%invoke-mimikatz%'
            OR UTF8(payload) ILIKE '%kerberos::silver%'
            OR UTF8(payload) ILIKE '%rubeus%'
            OR UTF8(payload) ILIKE '%new-aadintkerberosticket%'
          )
        )
      )
      AND (
        UTF8(payload) ILIKE '%kerberos::silver%'
        OR UTF8(payload) ILIKE '%kerberos::ptt%'
        OR UTF8(payload) ILIKE '% /ptt%'
        OR UTF8(payload) ILIKE '%silver%'
        OR UTF8(payload) ILIKE '% s4u%'
        OR UTF8(payload) ILIKE '%asktgs%'
        OR UTF8(payload) ILIKE '%sekurlsa::tickets%'
        OR UTF8(payload) ILIKE '%createnetonly%'
      )
    )
    OR
    /* Method 2: Kerberos RC4 downgrade — Security Event 4769 */
    (
      eventid = '4769'
      AND (
        UTF8(payload) ILIKE '%<Data Name="TicketEncryptionType">0x17%'
        OR UTF8(payload) ILIKE '%<Data Name="TicketEncryptionType">0x18%'
      )
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">krbtgt%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">UNKNOWN%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">-%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="TargetUserName">-%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="TargetUserName">ANONYMOUS LOGON%'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
critical severity high confidence

Detects Silver Ticket attacks in IBM QRadar by correlating Windows Security and Sysmon process creation events for Mimikatz/Rubeus/PowerShell silver ticket tooling (Event IDs 4688 and Sysmon 1) and Kerberos TGS requests with RC4 downgrade encryption (Event 4769). Uses UTF8(payload) to parse raw XML Windows event data for field extraction. In production, scope to Windows log sources using LOGSOURCETYPEID filters matching your environment's Windows Security and Sysmon DSM type IDs (verify with SELECT DISTINCT LOGSOURCETYPEID(devicetype) FROM events WHERE eventid IN ('4769','4688')).

Data Sources

Windows Security Event Log (via Microsoft Windows Security Event Log DSM)Microsoft Sysmon Operational Log (via Microsoft Sysmon DSM)

Required Tables

events

False Positives & Tuning

  • Legacy domain-joined servers and applications requiring RC4 Kerberos encryption (e.g., older SQL Server linked servers, Samba file shares configured without AES, NFS Kerberos mounts) will continuously generate Event 4769 with 0x17 at scale
  • Authorized penetration testing engagements using Mimikatz or Rubeus with proper change management will match all tool execution signatures — filter by change window or authorized source IP ranges
  • Software deployment or SCCM pipelines that stage or scan Mimikatz binaries during EDR evaluation or AV testing phases on Windows endpoints
Download portable Sigma rule (.yml)

Other platforms for T1558.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Silver Ticket — CIFS Service Forge and Inject

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'kerberos::silver', '/target:', '/rc4:', '/ptt'. Security Event ID 4688 (if command-line auditing enabled) with same command line. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe if ticket injection triggers LSASS interaction. No Event ID 4769 at the Domain Controller — the absence of this expected event is itself a detection signal for mature monitoring programs.

  2. Test 2Rubeus Silver Ticket — MSSQLSvc SPN Forge with Pass-the-Ticket

    Expected signal: Sysmon Event ID 1: Two process creation events — one for Rubeus.exe createnetonly (spawning cmd.exe), one for Rubeus.exe silver with /target: /service: /rc4: arguments. Sysmon Event ID 3: Network connection from Rubeus.exe if it contacts the DC for domain SID resolution (can be mitigated with /sid flag). Security Event ID 4648 may appear on the local host if ticket injection triggers explicit credential logon logging.

  3. Test 3Invoke-Mimikatz Silver Ticket via PowerShell (In-Memory)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-Mimikatz' and 'kerberos::silver'. PowerShell ScriptBlock Log Event ID 4104 showing the deobfuscated Invoke-Mimikatz call with full kerberos::silver arguments. Security Event ID 4688 with PowerShell command line if command-line auditing is enabled. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe from powershell.exe during ticket injection.

  4. Test 4Kerberos RC4 Encryption Request — Kerberoasting Precursor Simulation

    Expected signal: Security Event ID 4769 on the Domain Controller with TicketEncryptionType=0x17 (RC4_HMAC_MD5), ServiceName=MSSQLSvc/sqlserver01.lab.local:1433, and the requesting user's account name. This event is the primary indicator captured by the Kerberos RC4 Anomaly detection method. TargetUserName will be the current user running the PowerShell command. ClientAddress will be the requesting machine's IP.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1558.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.003KerberoastingT1558.004AS-REP RoastingT1558.005Ccache Files

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.003KerberoastingT1003OS Credential DumpingT1550.003Pass the TicketT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1078.002Domain AccountsT1059.001PowerShell

Same Tactic: Credential Access

Popular Detections