Windows Event 4771 — Kerberos Pre-Authentication Failed

WindowsEvents Windows Security Kerberos Brute Force

What This Means

Investigate Windows Event 4771, logged when Kerberos pre-authentication fails. Detect password guessing, brute force via Kerberos, and locked-out service accounts through this audit event.

Example Log

Kerberos pre-authentication failed.

Account Information:
  Security ID:      S-1-5-21-3398...-1103
  Account Name:     jsmith

Service Information:
  Service Name:     krbtgt/CONTOSO.COM

Network Information:
  Client Address:   ::ffff:192.168.1.55
  Client Port:      52431

Additional Information:
  Ticket Options:   0x40810010
  Failure Code:     0x18
  Pre-Authentication Type: 2

Indicators of Suspicious Activity

Failure Code 0x18 (wrong password) in high volume from a single client IP
Failure Code 0x12 (account disabled or expired) for accounts that should be active
Repeated failures against privileged or service accounts
Pre-authentication failures from external or unexpected IP ranges
Failures at unusual times suggesting automated attack tooling
Multiple different accounts failing from the same client address (password spraying)

How to Investigate

Group Event 4771 by Client Address and Account Name to identify attack patterns
Distinguish between user typos (sporadic) and attacks (systematic, high volume)
Correlate with Event 4768 to see if any attempts succeeded afterward
Check the Failure Code to understand the specific failure reason
Verify whether targeted accounts exist and are enabled
Cross-reference client IPs with DHCP/DNS logs to identify the source device

Recommended Mitigations

Enforce strong password policies with minimum 14-character requirements
Enable account lockout policies tuned for Kerberos authentication
Implement network segmentation to prevent external Kerberos access
Alert on more than 5 Event 4771 failures per account per hour
Use Defender for Identity to correlate Kerberos attacks across the domain
Ensure Kerberos pre-authentication is required for all accounts

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 4 + 1?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What does Failure Code 0x18 mean in Event 4771? ▼

Failure Code 0x18 means the password provided during Kerberos pre-authentication was incorrect. In high volume, this is a strong indicator of brute force or password guessing attacks.

How is Event 4771 different from Event 4625? ▼

Event 4625 logs NTLM authentication failures, while Event 4771 logs Kerberos pre-authentication failures. In domain environments, both should be monitored as attackers may use either protocol.

Can Event 4771 detect password spraying? ▼

Yes. Password spraying shows up as Failure Code 0x18 across many different accounts from the same client address, typically with one or two attempts per account to avoid lockout.