Kerberos Authentication Failure Investigation

AuthenticationAttacks Windows Security Kerberos Attack

What This Means

Investigate Kerberos authentication failures including AS-REP Roasting, Kerberoasting, ticket manipulation, and protocol-specific attack patterns in Active Directory environments.

Example Log

Kerberos pre-authentication failed.
Account Name: svc_sql
Failure Code: 0x18
Client Address: ::ffff:10.0.8.99
Pre-Authentication Type: 2

Indicators of Suspicious Activity

Failure Code 0x18 (bad password) against service accounts (potential password guessing)
Failure Code 0x6 (principal unknown) suggesting username enumeration
Pre-Authentication Type 0 indicating AS-REP Roastable accounts
RC4 encryption requested instead of AES (downgrade attack indicator)
Kerberos failures from IPs that are not domain-joined workstations
Failures concentrated on accounts with Service Principal Names

How to Investigate

Correlate Events 4768, 4769, and 4771 for a complete Kerberos picture
Identify which accounts are being targeted and their privilege level
Check encryption types in ticket requests for downgrade attempts
Verify targeted accounts require Kerberos pre-authentication
Review SPN assignments for potential Kerberoasting targets
Cross-reference with AD audit logs for recent account or SPN changes

Recommended Mitigations

Require Kerberos pre-authentication for all accounts (no exceptions)
Enforce AES encryption and disable RC4-HMAC domain-wide
Use Group Managed Service Accounts (gMSA) for service accounts
Set minimum 25-character passwords for all service accounts
Deploy Microsoft Defender for Identity for Kerberos attack detection
Regularly audit for accounts with SPNs and weak passwords

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 7 + 2?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What are the main Kerberos attack types? ▼

Key attacks: AS-REP Roasting (cracking TGTs for accounts without pre-auth), Kerberoasting (cracking service tickets for accounts with SPNs), Golden Ticket (forging TGTs with krbtgt hash), and Silver Ticket (forging service tickets).

How do I find vulnerable Kerberos accounts? ▼

Audit for: accounts without pre-auth required, accounts with SPNs and weak passwords, the krbtgt account password age, and any delegation configurations that could be abused.

What Kerberos failure codes should I alert on? ▼

Alert on: 0x18 (bad password) in volume, 0x6 (unknown principal) from single IPs, 0x17 encryption type in ticket requests, and Pre-Authentication Type 0 in Event 4768.