Detecting Forged Kerberos Tickets in an Active Directory Environment

Active Directory is the most popular service to manage users and devices on the network. Its widespread deployment in the corporate world has made it a popular target for threat actors. While there are many attacks that target Active Directory and its authentication protocol Kerberos, ticket forgery attacks are among the most dangerous. By exploiting weaknesses in Kerberos, attackers can craft their own tickets that allow them to gain unauthorized access to services on the network. These types of attacks are both dangerous and hard to detect. They may require a powerful centralized log collecting system to analyze Windows security logs across multiple services. This would give additional visibility to be able to find these forged tickets in the network.