Detect Silver Ticket in Splunk
Adversaries who have obtained the NTLM password hash of a target service account may forge Kerberos Ticket Granting Service (TGS) tickets, known as silver tickets. Silver tickets are more limited in scope than golden tickets — they only grant access to a specific service on a specific host — but are significantly harder to detect because they bypass the Key Distribution Center (KDC) entirely, generating no KDC-side authentication logs. Service account hashes are typically obtained via OS Credential Dumping (T1003) or Kerberoasting (T1558.003). Common tooling includes Mimikatz (kerberos::silver), Rubeus (silver), and Empire/Invoke-Mimikatz. AADInternals can forge tickets using the AZUREADSSOACC account hash to attack Azure AD Seamless SSO.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1558 Steal or Forge Kerberos Tickets
- Sub-technique
- T1558.002 Silver Ticket
- Canonical reference
- https://attack.mitre.org/techniques/T1558/002/
SPL Detection Query
| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
(Image="*\\mimikatz.exe" OR Image="*\\mimikatz64.exe")
OR (Image="*\\rubeus.exe")
OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
AND (CommandLine="*invoke-mimikatz*" OR CommandLine="*invoke-kerberoast*" OR CommandLine="*rubeus*")
AND (CommandLine="*silver*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*/ptt*" OR CommandLine="*/target:*" OR CommandLine="*/rc4:*"))
)
AND (
CommandLine="*kerberos::silver*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*/ptt*"
OR CommandLine="*silver*" OR CommandLine="*s4u*" OR CommandLine="*asktgs*"
OR CommandLine="*sekurlsa::tickets*" OR CommandLine="*createnetonly*"
)
| eval DetectionMethod="Tool Execution"
| eval ToolUsed=case(
match(Image, "(?i)mimikatz"), "Mimikatz",
match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)invoke-mimikatz"), "Invoke-Mimikatz",
match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)invoke-kerberoast"), "Invoke-Kerberoast",
match(Image, "(?i)rubeus"), "Rubeus",
match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)rubeus"), "Rubeus (PowerShell Loader)",
1=1, "Unknown"
)
| eval AttackPhase=case(
match(CommandLine, "(?i)kerberos::silver"), "Silver Ticket Forge",
match(CommandLine, "(?i)(kerberos::ptt|/ptt)"), "Pass-the-Ticket Injection",
match(CommandLine, "(?i)sekurlsa::tickets"), "Ticket Enumeration",
match(CommandLine, "(?i)(s4u|asktgs)"), "Service Ticket Request",
match(CommandLine, "(?i)createnetonly"), "Process Spawn for PTT",
1=1, "Ticket Operation"
)
| eval RiskLevel="Critical"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
DetectionMethod, ToolUsed, AttackPhase, RiskLevel
]
| append
[
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
(Ticket_Encryption_Type="0x17" OR Ticket_Encryption_Type="0x18")
NOT (Service_Name="*$" OR Service_Name="krbtgt" OR Service_Name="UNKNOWN" OR Service_Name="-")
NOT (Account_Name="*$" OR Account_Name="-" OR Account_Name="ANONYMOUS LOGON")
| eval EncryptionLabel=case(
Ticket_Encryption_Type=="0x17", "RC4-HMAC-MD5 (Mimikatz Default)",
Ticket_Encryption_Type=="0x18", "RC4-HMAC-MD5-EXP (Obsolete)",
1=1, "Unknown"
)
| eval IsHighValueSPN=if(
match(Service_Name, "(?i)(cifs|http|mssqlsvc|host|rpcss|wsman|ldap|termsrv|gc/)"),
"true", "false"
)
| eval DetectionMethod="Kerberos RC4 Anomaly"
| eval RiskLevel="High"
| table _time, host, Account_Name, Service_Name, EncryptionLabel,
Client_Address, IsHighValueSPN, Ticket_Options, DetectionMethod, RiskLevel
]
| sort - _timeTwo-method silver ticket detection using Splunk. The primary search targets Sysmon Event 1 (Process Create) to identify Mimikatz (kerberos::silver, kerberos::ptt, sekurlsa::tickets), Rubeus (silver, s4u, ptt, asktgs, createnetonly), and PowerShell wrappers loading these tools in memory. An appended subsearch covers Windows Security Event 4769 (Kerberos Service Ticket Request) filtered for RC4 encryption types (0x17/0x18), flagging anomalous service ticket encryption that may indicate Kerberoasting or misconfigured forged tickets targeting high-value SPNs (CIFS, MSSQLSvc, HTTP, TERMSRV). Results are merged and sorted by time. Requires Splunk Add-on for Microsoft Windows for pre-parsed 4769 fields; otherwise use rex for field extraction.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized red team or penetration testing exercises using Mimikatz or Rubeus in controlled environments
- Legacy applications requiring RC4 Kerberos encryption — particularly SQL Server clusters, SAP, Oracle, or older IIS deployments running on Windows Server 2008 or earlier
- Environments that have not enforced AES-only Kerberos via GPO (Network Security: Configure encryption types allowed for Kerberos), where RC4 tickets are common baseline noise
- Security validation platforms generating Mimikatz or Rubeus process events as part of scheduled adversary emulation runs
Other platforms for T1558.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Silver Ticket — CIFS Service Forge and Inject
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'kerberos::silver', '/target:', '/rc4:', '/ptt'. Security Event ID 4688 (if command-line auditing enabled) with same command line. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe if ticket injection triggers LSASS interaction. No Event ID 4769 at the Domain Controller — the absence of this expected event is itself a detection signal for mature monitoring programs.
- Test 2Rubeus Silver Ticket — MSSQLSvc SPN Forge with Pass-the-Ticket
Expected signal: Sysmon Event ID 1: Two process creation events — one for Rubeus.exe createnetonly (spawning cmd.exe), one for Rubeus.exe silver with /target: /service: /rc4: arguments. Sysmon Event ID 3: Network connection from Rubeus.exe if it contacts the DC for domain SID resolution (can be mitigated with /sid flag). Security Event ID 4648 may appear on the local host if ticket injection triggers explicit credential logon logging.
- Test 3Invoke-Mimikatz Silver Ticket via PowerShell (In-Memory)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-Mimikatz' and 'kerberos::silver'. PowerShell ScriptBlock Log Event ID 4104 showing the deobfuscated Invoke-Mimikatz call with full kerberos::silver arguments. Security Event ID 4688 with PowerShell command line if command-line auditing is enabled. Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe from powershell.exe during ticket injection.
- Test 4Kerberos RC4 Encryption Request — Kerberoasting Precursor Simulation
Expected signal: Security Event ID 4769 on the Domain Controller with TicketEncryptionType=0x17 (RC4_HMAC_MD5), ServiceName=MSSQLSvc/sqlserver01.lab.local:1433, and the requesting user's account name. This event is the primary indicator captured by the Kerberos RC4 Anomaly detection method. TargetUserName will be the current user running the PowerShell command. ClientAddress will be the requesting machine's IP.
References (10)
- https://attack.mitre.org/techniques/T1558/002/
- https://adsecurity.org/?p=2011
- https://adsecurity.org/?p=1515
- https://github.com/GhostPack/Rubeus
- https://github.com/gentilkiwi/mimikatz
- https://github.com/dirkjanm/BloodHound
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://o365blog.com/post/azureadkerberos/
Unlock Pro Content
Get the full detection package for T1558.002 including response playbook, investigation guide, and atomic red team tests.