What does Event ID 4768 mean and when does it fire?

Event ID 4768 is a Kerberos Authentication Service (AS) request — it fires on the domain controller every time a client requests a Ticket Granting Ticket (TGT), which is the first step in Kerberos authentication. You will see one per user logon session (interactive, RDP, or network). A DC in an active domain generates thousands per day. The event itself is normal; the security value is in the encryption type, pre-authentication type, account name, and client IP — these fields reveal attacks like AS-REP Roasting, overpass-the-hash, and Golden Ticket use.

Is Event ID 4768 with RC4 encryption (0x17) malicious?

It is a strong indicator in modern environments. Current Windows defaults to AES256 (encryption type 0x12) or AES128 (0x11) for Kerberos. RC4 (0x17) is a legacy protocol that should not appear for modern accounts unless explicitly configured. Overpass-the-hash attacks specifically request RC4 TGTs because they use an NTLM hash as the RC4 encryption key — the attacker cannot use AES without knowing the actual password. If you see 4768 with encryption type 0x17 for privileged accounts (Domain Admins, service accounts) from unexpected client IP addresses, treat it as an active attack until proven otherwise.

What is the difference between Event ID 4768 and 4769?

Event 4768 is the TGT request — the client asks the KDC 'give me a ticket-granting ticket so I can authenticate to services.' This fires once per logon session. Event 4769 is a TGS (service ticket) request — the client uses the TGT to ask for access to a specific service (a file share, SQL server, web app). This fires once per service accessed. Kerberoasting targets 4769 (requesting service tickets for accounts with SPNs to crack offline). Golden Ticket detection uses the absence of 4768 — if you see a 4769 for a session with no corresponding 4768, the TGT was forged, not issued by the KDC.

How do I detect AS-REP Roasting using Event ID 4768?

AS-REP Roasting targets accounts with 'Do not require Kerberos preauthentication' enabled. In Event 4768, these requests appear with Pre-Authentication Type = 0 (no pre-auth required) and Result Code = 0x0 (success) — the KDC returns an AS-REP without requiring the client to prove knowledge of the password first. The returned ticket is encrypted with the account's password hash, which the attacker can crack offline. Alert on: 4768 with Pre-Auth Type 0 from accounts that are not service accounts with this setting intentionally enabled. Remediate by disabling the 'Do not require Kerberos preauthentication' setting on all user accounts.

Scan your Security and Sysmon logs·Detection guides

Event ID 4768Audit SuccessSecurityT1558

Windows Event ID 4768 — Kerberos Authentication Ticket (TGT) Requested

Logged on the domain controller when a client requests a Kerberos Ticket Granting Ticket (TGT) — the first step in Kerberos authentication. Every Kerberos-authenticated logon begins with a 4768. Volume is high in any Active Directory environment. The security signal comes from Pre-Authentication Type, encryption type, result codes, and the absence of a 4768 where one would be expected.

MITRE ATT&CK

Technique

T1558 · Steal or Forge Kerberos Tickets

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4768 is the detection surface for two distinct attacks. AS-REP Roasting: accounts with Kerberos pre-authentication disabled (Pre-Auth Type 0) allow any user to request a TGT without proving knowledge of the password — the KDC returns an encrypted blob that can be cracked offline. Golden Ticket: a forged TGT created from the krbtgt hash does not go through the normal 4768 issuance process — a 4769 (service ticket request) arriving from a new source with no preceding 4768 from that account is the primary Golden Ticket indicator. Pass-the-Ticket: a stolen TGT replayed from a different IP than the one that originally obtained it creates anomalous 4768 patterns.

Key Fields

Account NameThe account requesting the TGT — unexpected accounts (especially service accounts or disabled accounts) requesting TGTs from workstations they've never accessed are suspicious

Pre-Authentication TypeThe pre-auth method. 2 = standard encrypted timestamp (normal); 0 = pre-auth disabled — this account is AS-REP Roastable; any domain user can request a crackable TGT for it without authenticating

Result Code0x0 = success; 0x6 = account doesn't exist (enumeration); 0x12 = account disabled or locked; 0x17 = password expired; 0x18 = bad password; 0x25 = clock skew too large (Kerberos requires ±5 min sync — attacker machine out of sync or Pass-the-Ticket replay)

Ticket Encryption Type0x12 = AES256 (modern, preferred); 0x11 = AES128; 0x17 = RC4-HMAC (legacy, crackable — should be rare in modern environments); requests for high-privilege accounts using RC4 warrant immediate attention

Client AddressThe IP requesting the TGT — correlate with subsequent 4769 events from the same address; a 4769 from an IP with no matching 4768 suggests a forged or injected TGT

Service Namekrbtgt for normal TGT requests; unexpected service names here indicate non-standard Kerberos tooling

Investigation Tips

1.AS-REP Roasting: query your environment for accounts with 'Do not require Kerberos preauthentication' enabled (Pre-Auth Type 0 in 4768). Any such account can have its TGT-equivalent blob requested and cracked offline by any domain user. These accounts should be rare — audit and disable this setting wherever possible.
2.Golden Ticket detection: look for 4769 (service ticket requests) from a source IP with no preceding 4768 for the same account from that IP. A Golden Ticket bypasses the TGT issuance step entirely — the attacker injects a forged TGT directly, so there is no corresponding 4768 on the DC.
3.Pass-the-Ticket: a 4768 from IP A followed by 4769 requests from IP B for the same account — the TGT was stolen from IP A and replayed on IP B. Look for Result Code 0x25 (clock skew) on 4768 events from hosts not in your time synchronization boundary.
4.RC4 encryption (0x17) on TGT requests for Domain Admin or krbtgt accounts in an environment that should use AES is anomalous — Kerberos tools and attack frameworks often default to RC4 for compatibility.
5.Disabled or non-existent accounts requesting TGTs (Result Code 0x12 or 0x6) in volume from one IP: account enumeration or attempting to authenticate with credentials for decommissioned accounts.
6.Correlate Account Name with your AD inventory: Golden Ticket attacks can specify arbitrary account names, including names that do not exist in Active Directory. A 4769 with an Account Name not in AD is near-certain Golden Ticket activity.

Detection Logic

Microsoft Sentinel (KQL) — alert on AS-REP Roasting (Pre-Auth Type 0) and RC4 encryption on user accounts (overpass-the-hash signal).

// AS-REP Roasting: TGT requests with no pre-authentication required
SecurityEvent
| where EventID == 4768
| where PreAuthType == "0"
| where ResultCode == "0x0"
| where TargetAccount !endswith "$"
| project TimeGenerated, TargetAccount, IpAddress, Computer
| sort by TimeGenerated desc

// RC4 encryption on user accounts — overpass-the-hash indicator
SecurityEvent
| where EventID == 4768
| where TicketEncryptionType == "0x17"
| where TargetAccount !endswith "$"
| project TimeGenerated, TargetAccount, IpAddress, TicketEncryptionType, Computer
| sort by TimeGenerated desc

Seeing Event ID 4768 in your own logs? Upload an .evtx file — EventPeeker flags kerberos authentication ticket (tgt) requested automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4769Kerberos service ticket — absence of a matching 4768 before 4769 = Golden Ticket indicator

4770Kerberos service ticket renewal — forged Golden Tickets are renewed, not re-requested; no 4768 anchor

4771Kerberos pre-auth failed — failed TGT requests; complements 4768 for brute-force detection

4624Successful logon — the logon event that follows a successful TGT + service ticket exchange

4672Special privileges — privileged Kerberos sessions trigger 4672 alongside 4624

4625NTLM failed logon — if 4768 volume drops but auth attempts continue, check for NTLM fallback

Frequently Asked Questions

What does Event ID 4768 mean and when does it fire?: Event ID 4768 is a Kerberos Authentication Service (AS) request — it fires on the domain controller every time a client requests a Ticket Granting Ticket (TGT), which is the first step in Kerberos authentication. You will see one per user logon session (interactive, RDP, or network). A DC in an active domain generates thousands per day. The event itself is normal; the security value is in the encryption type, pre-authentication type, account name, and client IP — these fields reveal attacks like AS-REP Roasting, overpass-the-hash, and Golden Ticket use.
Is Event ID 4768 with RC4 encryption (0x17) malicious?: It is a strong indicator in modern environments. Current Windows defaults to AES256 (encryption type 0x12) or AES128 (0x11) for Kerberos. RC4 (0x17) is a legacy protocol that should not appear for modern accounts unless explicitly configured. Overpass-the-hash attacks specifically request RC4 TGTs because they use an NTLM hash as the RC4 encryption key — the attacker cannot use AES without knowing the actual password. If you see 4768 with encryption type 0x17 for privileged accounts (Domain Admins, service accounts) from unexpected client IP addresses, treat it as an active attack until proven otherwise.
What is the difference between Event ID 4768 and 4769?: Event 4768 is the TGT request — the client asks the KDC 'give me a ticket-granting ticket so I can authenticate to services.' This fires once per logon session. Event 4769 is a TGS (service ticket) request — the client uses the TGT to ask for access to a specific service (a file share, SQL server, web app). This fires once per service accessed. Kerberoasting targets 4769 (requesting service tickets for accounts with SPNs to crack offline). Golden Ticket detection uses the absence of 4768 — if you see a 4769 for a session with no corresponding 4768, the TGT was forged, not issued by the KDC.
How do I detect AS-REP Roasting using Event ID 4768?: AS-REP Roasting targets accounts with 'Do not require Kerberos preauthentication' enabled. In Event 4768, these requests appear with Pre-Authentication Type = 0 (no pre-auth required) and Result Code = 0x0 (success) — the KDC returns an AS-REP without requiring the client to prove knowledge of the password first. The returned ticket is encrypted with the account's password hash, which the attacker can crack offline. Alert on: 4768 with Pre-Auth Type 0 from accounts that are not service accounts with this setting intentionally enabled. Remediate by disabling the 'Do not require Kerberos preauthentication' setting on all user accounts.

Go deeper: the full Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide →

See Event ID 4768 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos authentication ticket (tgt) requested patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →