Silver Ticket
We know that authorizations/permissions (group memberships) are provided by the KDC in the TGS and then checked by the SPN in question. This means that if we have the credentials/hash of the SPN (kerberoasting, NTLM account, etc.), we can create a Silver Ticket with any privilege.
There is an optional authentication, rarely implemented for service applications, called PAC (Privileged Account Certificate) validation, which consists of a check that the service does with the domain controller of the permissions and authorizations.
Attack
If you have administrator privileges you can get the NTLM hashes of the services with sekurlsa::logonpasswords. Otherwise use other techniques.
Forge Silver Ticket
/ptt
Inject the forged ticket to memory to make it usable immediately
/sid
Domain SID (whoami /user without RID)
/domain
Domain in FQDN
/target
Machine that hosting the attacked service in FQDN
/service
/rc4
NTLM hash of the service for encryption.
There is also /ntlm,/aes128 or /aes256
/id
For which RID to forge the ticket
/user
For which user to forge the ticket (can be fake)
ex.
Also possible to use: /aes128, /aes256, /des
For arguments see mimikatz above.
SPN service
WMI
HOST
RPCSS
PowerShell Remoting
HOST
HTTP
Depending on OS also:
WSMAN
RPCSS
WinRM
HOST
HTTP
In some occasions you can just ask for: WINRM
Scheduled Tasks
HOST
Windows File Share, also psexec
CIFS
LDAP operations, included DCSync
LDAP
Windows Remote Server Administration Tools
RPCSS
LDAP
CIFS
Golden Tickets
krbtgt
Last updated