Windows Event 4769 — Kerberos Service Ticket Requested

WindowsEvents Windows Security Kerberoasting / Lateral Movement

What This Means

Monitor Windows Event 4769 to detect Kerberoasting attacks, lateral movement, and abnormal service ticket requests. Essential for securing Active Directory environments.

Example Log

A Kerberos service ticket was requested.

Account Information:
  Account Name:       jsmith@CONTOSO.COM
  Account Domain:     CONTOSO.COM
  Logon GUID:         {a1b2c3d4-...}

Service Information:
  Service Name:       MSSQLSvc/SQL01.contoso.com:1433
  Service ID:         S-1-5-21-3398...-1108

Network Information:
  Client Address:     ::ffff:10.0.5.142
  Client Port:        49831

Additional Information:
  Ticket Options:     0x40810000
  Ticket Encryption Type: 0x17
  Failure Code:       0x0

Indicators of Suspicious Activity

Encryption Type 0x17 (RC4-HMAC) for service tickets — Kerberoasting indicator
Single account requesting tickets for many different SPNs in a short period
Service ticket requests for rarely accessed services from unusual accounts
Ticket requests from non-standard client addresses
Service tickets requested outside normal business hours for the account
Failure Code 0x1F (integrity check on decrypted field failed) — replay attack attempt

How to Investigate

Filter for Encryption Type 0x17 to identify potential Kerberoasting targets
Identify which SPNs are being targeted and assess sensitivity of those services
Track the requesting account and correlate with Event 4768 (TGT) and 4624 (logon)
Compare service ticket request patterns against baseline for the account
Check if the target service account has a weak or old password
Review whether the requesting workstation is authorized to access the target service

Recommended Mitigations

Use Group Managed Service Accounts (gMSA) with auto-rotating 120-char passwords
Enforce AES encryption for all service accounts and disable RC4 where possible
Set strong, long passwords (25+ characters) for traditional service accounts
Monitor for RC4-encrypted service ticket requests as a Kerberoasting indicator
Deploy Microsoft Defender for Identity or similar for real-time detection
Regularly rotate service account passwords on a 90-day cycle or shorter

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 8 + 9?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What is Kerberoasting? ▼

Kerberoasting is an attack where an authenticated domain user requests service tickets for accounts with SPNs, then cracks the tickets offline to recover the service account password. Event 4769 with RC4 encryption is the primary detection signal.

Why is RC4 encryption in Event 4769 suspicious? ▼

Modern environments should use AES encryption. When an attacker requests RC4-encrypted tickets, it indicates an intentional downgrade to make offline cracking faster. Legitimate clients typically negotiate AES.

How do I find all Kerberoastable accounts? ▼

Run: Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties ServicePrincipalName | Select Name, ServicePrincipalName. Any account with an SPN is a potential Kerberoasting target.