eastbaycyber

What Is Silver Ticket?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

A Silver Ticket is a forged Kerberos service ticket that lets an attacker access a specific service in an Active Directory environment without needing the victim’s plaintext password. Instead of stealing a user password and signing in normally, the attacker abuses trust in Kerberos ticketing by creating a valid-looking ticket for a target service after obtaining the service account’s cryptographic material.

If you are learning the broader identity attack chain, it also helps to compare this with what is pass the hash and what is golden ticket.

Silver Ticket definition

In a normal Kerberos workflow, a user authenticates to the domain, receives a Ticket Granting Ticket (TGT), and then uses that TGT to request service tickets for resources such as file shares, databases, or web applications.

A Silver Ticket attack bypasses part of that process. If an attacker has the password hash or Kerberos key material for a service account or computer account, they can forge a service ticket for that specific service and present it directly.

The result is unauthorized access that may look legitimate to the service itself.

How Silver Ticket works

Silver Ticket attacks depend on Kerberos trust relationships and stolen service account material. The attacker is not forging domain-wide trust. They are forging access to one target service.

1. The attacker compromises a service account key

The technique starts when the attacker obtains the password hash or Kerberos key for an account used by a service. That may be:

  • A computer account
  • A service account running an application
  • An account tied to SQL Server, IIS, SMB, or another internal service

The important detail is that the attacker does not need the krbtgt account for a Silver Ticket. They only need the key material for the service they want to abuse.

2. The attacker forges a Kerberos service ticket

Using the stolen key material, the attacker creates a fake service ticket, often called a TGS ticket, for a specific Service Principal Name (SPN).

That forged ticket can include:

  • A chosen username
  • Group memberships
  • Privilege-related claims
  • Ticket details that match the target service

Because the service trusts tickets encrypted with its own key, the forged ticket may be accepted as valid.

3. The forged ticket is presented directly to the service

Instead of going to the domain controller for a legitimate ticket request, the attacker presents the forged ticket directly to the target service.

If the ticket is structured correctly and encrypted with the proper key, the service may allow access without the usual domain controller interaction defenders expect to see.

This is one reason Silver Ticket can be difficult to detect. Depending on the service and environment, there may be less centralized authentication evidence than in other identity attacks.

4. The attacker uses the service access

What happens next depends on the targeted service. Examples include:

  • Accessing SMB shares on a server
  • Querying or changing data in SQL Server
  • Reaching web applications using Kerberos authentication
  • Performing actions on a host tied to a compromised computer account

The attack is narrower than domain-wide ticket forgery, but it can still be serious if the service is sensitive or widely trusted.

Why Silver Ticket matters

Silver Ticket matters because it turns one compromised service account into a way to impersonate users to a specific service. In a real intrusion, that can support:

  • Stealthier lateral movement
  • Access to sensitive applications or servers
  • Evasion of some centralized authentication monitoring
  • Persistence as long as the service account key remains unchanged

It is especially useful to attackers who already have a foothold and want to move carefully through an Active Directory environment.

Silver Ticket vs Golden Ticket

Silver Ticket and Golden Ticket are related Kerberos abuse techniques, but they are not the same.

Silver Ticket

A Silver Ticket targets a specific service. The attacker needs the password hash or key for that service account or computer account.

Golden Ticket

A Golden Ticket is broader and more dangerous. It involves forging Ticket Granting Tickets using the krbtgt account key, which can allow an attacker to create domain-wide Kerberos trust.

In short:

  • Silver Ticket: limited to a specific service
  • Golden Ticket: much broader domain-level abuse

When you will encounter Silver Ticket

Most administrators will not run into Silver Ticket during routine IT work, but defenders encounter it in several common contexts.

Active Directory incident response

Silver Ticket often comes up during investigations of lateral movement in Windows domains. If responders find signs that a service account or computer account hash was stolen, they may evaluate whether forged service tickets were used.

Kerberos-focused detections and threat hunting

Threat hunters and detection engineers look for unusual Kerberos patterns, especially when service access occurs without the expected supporting authentication trail. Silver Ticket is one reason teams monitor both ticket behavior and service account hygiene.

Service account exposure reviews

When organizations review risky service accounts, overly privileged computer accounts, or weak password rotation practices, Silver Ticket is a common example of why those weaknesses matter.

Red team and adversary emulation work

Silver Ticket frequently appears in penetration tests and adversary emulation exercises against Active Directory environments. It helps validate whether the organization can detect forged Kerberos activity and whether service accounts are properly protected.

Mature Windows enterprise environments

You are more likely to hear about Silver Ticket in organizations with on-prem Active Directory, integrated Windows authentication, and multiple internal services using Kerberos. It is less relevant in environments with little or no traditional AD dependence.

How defenders reduce Silver Ticket risk

Reducing Silver Ticket risk usually means reducing the chance that service account key material is exposed and limiting the damage if it is.

Protect service accounts

Service accounts should have strong, unique credentials and as little privilege as possible. Storing and rotating important credentials with a tool like 1Password can help improve credential hygiene in smaller environments.

Rotate passwords and keys regularly

If service account material is static for long periods, forged tickets remain useful for longer. Rotation reduces the lifetime of stolen credentials.

Limit service account privileges

A compromised service account should not unlock unnecessary access. Least privilege matters here.

Monitor for unusual Kerberos behavior

Detection teams should look for strange service access patterns, inconsistent ticket behavior, and activity tied to accounts that do not match normal usage.

Harden endpoints and servers

Attackers often obtain hashes and keys after compromising a host. Strong endpoint protection such as Malwarebytes can help reduce the likelihood of the initial compromise or post-exploitation persistence that leads to credential theft.

Kerberos

Kerberos is the authentication protocol widely used in Active Directory. It relies on tickets rather than sending passwords directly to each service.

TGT

A Ticket Granting Ticket is issued by the domain controller after initial authentication. It is normally used to request service tickets.

Service ticket

A service ticket is the Kerberos ticket presented to a specific service, such as SMB, MSSQL, or HTTP, to prove authenticated access.

Service account

A service account is an account used by an application, server, or service to run processes and authenticate to other systems. If its key material is compromised, it can enable Silver Ticket abuse.

SPN

A Service Principal Name identifies a service instance in Kerberos. Silver Tickets are forged for a particular SPN tied to the target service.

Golden Ticket

A Golden Ticket is a related but more severe Kerberos attack in which an attacker forges TGTs using the krbtgt account key. It is broader than Silver Ticket.

Pass the Ticket

Pass the Ticket is a technique where an attacker steals and reuses valid Kerberos tickets rather than forging them. Silver Ticket is ticket forgery, not simple reuse.

Bottom line

A Silver Ticket is a forged Kerberos service ticket that lets an attacker impersonate a user to a specific service after compromising that service account’s key material. It is narrower than a Golden Ticket attack, but still dangerous because it can enable quiet lateral movement and unauthorized access inside an Active Directory environment.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.