MITRE ATT&CK Technique
Description
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets) Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets) Password hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T19:14:48.309Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries who have the password hash of a target service '
'account (e.g. SharePoint, MSSQL) may forge Kerberos ticket '
'granting service (TGS) tickets, also known as silver tickets. '
'Kerberos TGS tickets are also known as service '
'tickets.(Citation: ADSecurity Silver Tickets)\n'
'\n'
'Silver tickets are more limited in scope in than golden '
'tickets in that they only enable adversaries to access a '
'particular resource (e.g. MSSQL) and the system that hosts '
'the resource; however, unlike golden tickets, adversaries '
'with the ability to forge silver tickets are able to create '
'TGS tickets without interacting with the Key Distribution '
'Center (KDC), potentially making detection more '
'difficult.(Citation: ADSecurity Detecting Forged Tickets)\n'
'\n'
'Password hashes for target services may be obtained using [OS '
'Credential '
'Dumping](https://attack.mitre.org/techniques/T1003) or '
'[Kerberoasting](https://attack.mitre.org/techniques/T1558/003).',
'external_references': [{'external_id': 'T1558.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1558/002'},
{'description': 'Sean Metcalf. (2015, November 17). '
'How Attackers Use Kerberos Silver '
'Tickets to Exploit Systems. '
'Retrieved February 27, 2020.',
'source_name': 'ADSecurity Silver Tickets',
'url': 'https://adsecurity.org/?p=2011'},
{'description': 'Metcalf, S. (2015, May 03). '
'Detecting Forged Kerberos Ticket '
'(Golden Ticket & Silver Ticket) Use '
'in Active Directory. Retrieved '
'December 23, 2015.',
'source_name': 'ADSecurity Detecting Forged Tickets',
'url': 'https://adsecurity.org/?p=1515'},
{'description': 'French, D. (2018, October 2). '
'Detecting Attempts to Steal '
'Passwords from Memory. Retrieved '
'October 11, 2019.',
'source_name': 'Medium Detecting Attempts to Steal '
'Passwords from Memory',
'url': 'https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea'}],
'id': 'attack-pattern--d273434a-448e-4598-8e14-607f4a0d5e27',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:26.177Z',
'name': 'Silver Ticket',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}