Kerberos Authentication Events (4768/4769/4771)

windowsAuthentication & AccessDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Security.evtx (Domain Controllers)

Description

Kerberos protocol events from domain controller Security logs: Event 4768 (TGT requested), Event 4769 (service ticket requested), Event 4771 (Kerberos pre-authentication failed), and Event 4770 (TGT renewed).

Forensic Value

Kerberos events are essential for detecting identity-based attacks in Active Directory environments. Event 4769 with encryption type 0x17 (RC4) for service accounts indicates Kerberoasting attacks harvesting crackable service tickets. Event 4768 with unusual encryption types or from unexpected IPs detects Golden Ticket usage. Event 4771 failure codes identify password spray campaigns targeting domain accounts. These events are only logged on domain controllers.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsawDeepBlueCLI

Used in Procedures

Analyze Evidence of Credential Dumping Techniques

analyze

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical