Kerberos Authentication Events (4768/4769/4771)

Location

Description

Kerberos protocol events from domain controller Security logs: Event 4768 (TGT requested), Event 4769 (service ticket requested), Event 4771 (Kerberos pre-authentication failed), and Event 4770 (TGT renewed).

Forensic Value

Kerberos events are essential for detecting identity-based attacks in Active Directory environments. Event 4769 with encryption type 0x17 (RC4) for service accounts indicates Kerberoasting attacks harvesting crackable service tickets. Event 4768 with unusual encryption types or from unexpected IPs detects Golden Ticket usage. Event 4771 failure codes identify password spray campaigns targeting domain accounts. These events are only logged on domain controllers.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Security.evtx" --csv C:\output --csvf Security_Kerberos.csv

Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4768,4769,4771} | Export-Csv C:\output\kerberos_events.csv

powershell .\DeepBlue.ps1 "C:\Windows\System32\winevt\Logs\Security.evtx"

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References