title: Silver Ticket (T1558.002)
id: df00tech-t1558-002
status: experimental
description: "Adversaries who have obtained the NTLM password hash of a target service account may forge Kerberos Ticket Granting Service (TGS) tickets, known as silver tickets. Silver tickets are more limited in scope than golden tickets — they only grant access to a specific service on a specific host — but are significantly harder to detect because they bypass the Key Distribution Center (KDC) entirely, generating no KDC-side authentication logs. Service account hashes are typically obtained via OS Credential Dumping (T1003) or Kerberoasting (T1558.003). Common tooling includes Mimikatz (kerberos::silver), Rubeus (silver), and Empire/Invoke-Mimikatz. AADInternals can forge tickets using the AZUREADSSOACC account hash to attack Azure AD Seamless SSO."
references:
  - https://attack.mitre.org/techniques/T1558/002/
  - https://df00tech.com/detections/T1558.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Authorized red team, penetration testing, or purple team exercises using Mimikatz or Rubeus in controlled lab environments with explicit change ticket authorization"
  - "Legacy Windows environments or applications (Windows Server 2003/2008-era services, SAP, Oracle EBS, older IBM middleware) that do not support AES Kerberos and legitimately require RC4 encryption for service tickets"
  - "SQL Server clusters, IIS application pools, or third-party enterprise applications using service accounts configured for RC4 Kerberos due to application compatibility constraints or missing AES keytab updates"
  - "Security validation platforms (Cymulate, AttackIQ, SafeBreach, Vectr) that execute Mimikatz or Rubeus as part of scheduled adversary emulation assessments"
level: critical