Detection of the Silver Ticket for Seamless Single Sign-On Focusing on a Ticket Lifetime

Abstract

Active Directory (AD) is widely used as an authentication server in many organizations. AD centrally manages users and computers and their authentications. Thus, it is very useful but also tends to be leveraged by attackers. Attacks leveraging ADs such as a Silver Ticket have been observed, but they are challenging to detect since they abuse specifications of Kerberos authentication, not vulnerabilities.

Recently, some organizations have been migrating their AD environment to Azure Active Directory (Azure AD) and operating hybrid environments on-premise AD and Azure AD. In some forms of hybrid environments, seamless single sign-on, called SSSO can be an option; SSSO allows the on-premise AD Kerberos Ticket to be used for authentication to some Azure services as well. In such an environment, attackers can compromise the on-premise AD and abuse the Silver Ticket to spread the compromise to Azure services.

Not only in a hybrid environment but also in an on-premise environment, detection of the Silver Ticket exploits is difficult. In this study, we especially focus on the behavior that the client computers always request the Service Ticket to the Domain Controller every time they access the Azure services if the Kerberos Ticket expiration time setting is reduced to 10 minutes (default value is 600 minutes.) Our study introduces a method to detect the abuse of the Silver Ticket in SSSO environments with high detection accuracy. We also introduce a detection method for malicious access to the on-premise Domain Controller with the Silver Ticket.