T1558.002 Microsoft Sentinel · KQL

Detect Silver Ticket in Microsoft Sentinel

Adversaries who have obtained the NTLM password hash of a target service account may forge Kerberos Ticket Granting Service (TGS) tickets, known as silver tickets. Silver tickets are more limited in scope than golden tickets — they only grant access to a specific service on a specific host — but are significantly harder to detect because they bypass the Key Distribution Center (KDC) entirely, generating no KDC-side authentication logs. Service account hashes are typically obtained via OS Credential Dumping (T1003) or Kerberoasting (T1558.003). Common tooling includes Mimikatz (kerberos::silver), Rubeus (silver), and Empire/Invoke-Mimikatz. AADInternals can forge tickets using the AZUREADSSOACC account hash to attack Azure AD Seamless SSO.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.002 Silver Ticket
Canonical reference
https://attack.mitre.org/techniques/T1558/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// =====================================================================
// Silver Ticket Detection — Method 1: Attacker Tool Execution
// Detects Mimikatz, Rubeus, and PowerShell wrappers creating silver tickets
// =====================================================================
let SilverTicketToolDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where
    // Mimikatz direct execution — kerberos module
    (FileName in~ ("mimikatz.exe", "mimikatz64.exe")
     and ProcessCommandLine has_any ("kerberos::silver", "kerberos::ptt", "sekurlsa::tickets", "/ptt"))
    // PowerShell Invoke-Mimikatz silver ticket
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any ("Invoke-Mimikatz", "Invoke-Kerberoast")
        and ProcessCommandLine has_any ("silver", "kerberos::ptt", "/ptt", "/target:", "/rc4:", "/aes256:"))
    // Rubeus silver ticket and pass-the-ticket (direct or reflective)
    or (FileName =~ "rubeus.exe"
        and ProcessCommandLine has_any ("silver", "s4u", "ptt", "/ticket:", "asktgs", "createnetonly"))
    // Rubeus invoked from PowerShell (reflective load or inline)
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "rubeus"
        and ProcessCommandLine has_any ("silver", "/ticket:", "ptt", "/service:", "/target:", "/rc4:"))
    // AADInternals AZUREADSSOACC silver ticket for Azure AD SSO
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any ("New-AADIntKerberosTicket", "AZUREADSSOACC", "kerberos::golden") 
        and ProcessCommandLine has_any ("AZUREADSSOACC", "aadsso", "seamlesssso"))
| extend ToolUsed = case(
    FileName in~ ("mimikatz.exe", "mimikatz64.exe"), "Mimikatz",
    ProcessCommandLine has "invoke-mimikatz", "Invoke-Mimikatz (PowerShell)",
    ProcessCommandLine has "new-aadintkerberosticket", "AADInternals",
    FileName =~ "rubeus.exe" or ProcessCommandLine has "rubeus", "Rubeus",
    FileName in~ ("powershell.exe", "pwsh.exe"), "PowerShell Kerberos Wrapper",
    "Unknown"
  )
| extend AttackPhase = case(
    ProcessCommandLine has "kerberos::silver", "Silver Ticket Forge",
    ProcessCommandLine has_any ("kerberos::ptt", "/ptt"), "Pass-the-Ticket Injection",
    ProcessCommandLine has "sekurlsa::tickets", "Ticket Enumeration",
    ProcessCommandLine has_any ("s4u", "asktgs"), "Service Ticket Request (S4U/TGS)",
    ProcessCommandLine has "createnetonly", "Process Spawning for PTT",
    "Ticket Operation"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ToolUsed, AttackPhase;
// =====================================================================
// Silver Ticket Detection — Method 2: Kerberos RC4 Downgrade Anomaly
// RC4 (0x17) is Mimikatz default for silver tickets without /aes256.
// Silver tickets bypass the KDC entirely — this catches precursor Kerberoasting
// and misconfigured forged tickets visible in DC logs from other activity.
// =====================================================================
let KerberosRC4Anomaly = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| extend ServiceName = extract(@'<Data Name="ServiceName">([^<]+)<', 1, EventData)
| extend TicketEncryptionType = extract(@'<Data Name="TicketEncryptionType">([^<]+)<', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">([^<]+)<', 1, EventData)
| extend ClientAddress = extract(@'<Data Name="IpAddress">([^<]+)<', 1, EventData)
| extend TicketOptions = extract(@'<Data Name="TicketOptions">([^<]+)<', 1, EventData)
| extend Status = extract(@'<Data Name="Status">([^<]+)<', 1, EventData)
// RC4_HMAC_MD5 = 0x17 (Mimikatz default), RC4_HMAC_MD5_EXP = 0x18 (obsolete)
| where TicketEncryptionType in ("0x17", "0x18")
| where ServiceName !endswith "$" and ServiceName !in~ ("krbtgt", "UNKNOWN", "-")
| where TargetUserName !endswith "$" and TargetUserName !in ("-", "ANONYMOUS LOGON")
| extend EncryptionLabel = iff(TicketEncryptionType == "0x17",
    "RC4-HMAC-MD5 (Mimikatz/Rubeus Default)",
    "RC4-HMAC-MD5-EXP (Obsolete, High Risk)")
| extend IsHighValueSPN = ServiceName has_any (
    "CIFS", "cifs", "HTTP", "http", "MSSQLSvc", "mssql",
    "HOST", "RPCSS", "wsman", "WSMAN", "LDAP", "ldap", "TERMSRV", "GC", "gc")
| project TimeGenerated, Computer, TargetUserName, ServiceName, EncryptionLabel,
          ClientAddress, IsHighValueSPN, TicketOptions, Status;
// Union both detection methods
union
  (SilverTicketToolDetection
   | project Timestamp, DeviceName, AccountName,
             DetectionMethod = "Tool Execution",
             Details = strcat(ToolUsed, " — ", AttackPhase, " | cmd: ", ProcessCommandLine),
             RiskLevel = "Critical"),
  (KerberosRC4Anomaly
   | project Timestamp = TimeGenerated,
             DeviceName = Computer,
             AccountName = TargetUserName,
             DetectionMethod = "Kerberos RC4 Anomaly",
             Details = strcat(EncryptionLabel, " | SPN: ", ServiceName,
                 " | src: ", ClientAddress, " | HighValue: ", tostring(IsHighValueSPN)),
             RiskLevel = "High")
| sort by Timestamp desc
critical severity medium confidence

Two-method silver ticket detection. Method 1 uses DeviceProcessEvents to catch known silver ticket tools on attacker endpoints: Mimikatz (kerberos::silver, kerberos::ptt), Rubeus (silver, s4u, ptt, asktgs), PowerShell wrappers (Invoke-Mimikatz), and AADInternals (AZUREADSSOACC). This is the most reliable indicator since silver tickets bypass KDC logging entirely. Method 2 uses SecurityEvent 4769 to detect RC4 encryption (0x17/0x18) on Kerberos service ticket requests — catching precursor Kerberoasting activity and misconfigured forges. AES-capable environments should produce few or zero RC4 tickets for high-value SPNs. Confidence is medium by design: silver ticket's core value to adversaries is evading exactly this type of detection.

Data Sources

Process: Process CreationActive Directory: Active Directory Credential RequestLogon Session: Logon Session MetadataMicrosoft Defender for EndpointWindows Security Event Log

Required Tables

DeviceProcessEventsSecurityEvent

False Positives & Tuning

  • Authorized red team, penetration testing, or purple team exercises using Mimikatz or Rubeus in controlled lab environments with explicit change ticket authorization
  • Legacy Windows environments or applications (Windows Server 2003/2008-era services, SAP, Oracle EBS, older IBM middleware) that do not support AES Kerberos and legitimately require RC4 encryption for service tickets
  • SQL Server clusters, IIS application pools, or third-party enterprise applications using service accounts configured for RC4 Kerberos due to application compatibility constraints or missing AES keytab updates
  • Security validation platforms (Cymulate, AttackIQ, SafeBreach, Vectr) that execute Mimikatz or Rubeus as part of scheduled adversary emulation assessments
Download portable Sigma rule (.yml)

Other platforms for T1558.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Silver Ticket — CIFS Service Forge and Inject

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'kerberos::silver', '/target:', '/rc4:', '/ptt'. Security Event ID 4688 (if command-line auditing enabled) with same command line. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe if ticket injection triggers LSASS interaction. No Event ID 4769 at the Domain Controller — the absence of this expected event is itself a detection signal for mature monitoring programs.

  2. Test 2Rubeus Silver Ticket — MSSQLSvc SPN Forge with Pass-the-Ticket

    Expected signal: Sysmon Event ID 1: Two process creation events — one for Rubeus.exe createnetonly (spawning cmd.exe), one for Rubeus.exe silver with /target: /service: /rc4: arguments. Sysmon Event ID 3: Network connection from Rubeus.exe if it contacts the DC for domain SID resolution (can be mitigated with /sid flag). Security Event ID 4648 may appear on the local host if ticket injection triggers explicit credential logon logging.

  3. Test 3Invoke-Mimikatz Silver Ticket via PowerShell (In-Memory)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-Mimikatz' and 'kerberos::silver'. PowerShell ScriptBlock Log Event ID 4104 showing the deobfuscated Invoke-Mimikatz call with full kerberos::silver arguments. Security Event ID 4688 with PowerShell command line if command-line auditing is enabled. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe from powershell.exe during ticket injection.

  4. Test 4Kerberos RC4 Encryption Request — Kerberoasting Precursor Simulation

    Expected signal: Security Event ID 4769 on the Domain Controller with TicketEncryptionType=0x17 (RC4_HMAC_MD5), ServiceName=MSSQLSvc/sqlserver01.lab.local:1433, and the requesting user's account name. This event is the primary indicator captured by the Kerberos RC4 Anomaly detection method. TargetUserName will be the current user running the PowerShell command. ClientAddress will be the requesting machine's IP.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1558.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.003KerberoastingT1558.004AS-REP RoastingT1558.005Ccache Files

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.003KerberoastingT1003OS Credential DumpingT1550.003Pass the TicketT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1078.002Domain AccountsT1059.001PowerShell

Same Tactic: Credential Access

Popular Detections