EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4768Audit SuccessSecurityT1558

Windows Event ID 4768Kerberos Authentication Ticket (TGT) Requested

Logged on the domain controller when a client requests a Kerberos Ticket Granting Ticket (TGT) — the first step in Kerberos authentication. Every Kerberos-authenticated logon begins with a 4768. Volume is high in any Active Directory environment. The security signal comes from Pre-Authentication Type, encryption type, result codes, and the absence of a 4768 where one would be expected.

MITRE ATT&CK

Technique

T1558 · Steal or Forge Kerberos Tickets

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4768 is the detection surface for two distinct attacks. AS-REP Roasting: accounts with Kerberos pre-authentication disabled (Pre-Auth Type 0) allow any user to request a TGT without proving knowledge of the password — the KDC returns an encrypted blob that can be cracked offline. Golden Ticket: a forged TGT created from the krbtgt hash does not go through the normal 4768 issuance process — a 4769 (service ticket request) arriving from a new source with no preceding 4768 from that account is the primary Golden Ticket indicator. Pass-the-Ticket: a stolen TGT replayed from a different IP than the one that originally obtained it creates anomalous 4768 patterns.

Key Fields

Account NameThe account requesting the TGT — unexpected accounts (especially service accounts or disabled accounts) requesting TGTs from workstations they've never accessed are suspicious
Pre-Authentication TypeThe pre-auth method. 2 = standard encrypted timestamp (normal); 0 = pre-auth disabled — this account is AS-REP Roastable; any domain user can request a crackable TGT for it without authenticating
Result Code0x0 = success; 0x6 = account doesn't exist (enumeration); 0x12 = account disabled or locked; 0x17 = password expired; 0x18 = bad password; 0x25 = clock skew too large (Kerberos requires ±5 min sync — attacker machine out of sync or Pass-the-Ticket replay)
Ticket Encryption Type0x12 = AES256 (modern, preferred); 0x11 = AES128; 0x17 = RC4-HMAC (legacy, crackable — should be rare in modern environments); requests for high-privilege accounts using RC4 warrant immediate attention
Client AddressThe IP requesting the TGT — correlate with subsequent 4769 events from the same address; a 4769 from an IP with no matching 4768 suggests a forged or injected TGT
Service Namekrbtgt for normal TGT requests; unexpected service names here indicate non-standard Kerberos tooling

Investigation Tips

  1. 1.AS-REP Roasting: query your environment for accounts with 'Do not require Kerberos preauthentication' enabled (Pre-Auth Type 0 in 4768). Any such account can have its TGT-equivalent blob requested and cracked offline by any domain user. These accounts should be rare — audit and disable this setting wherever possible.
  2. 2.Golden Ticket detection: look for 4769 (service ticket requests) from a source IP with no preceding 4768 for the same account from that IP. A Golden Ticket bypasses the TGT issuance step entirely — the attacker injects a forged TGT directly, so there is no corresponding 4768 on the DC.
  3. 3.Pass-the-Ticket: a 4768 from IP A followed by 4769 requests from IP B for the same account — the TGT was stolen from IP A and replayed on IP B. Look for Result Code 0x25 (clock skew) on 4768 events from hosts not in your time synchronization boundary.
  4. 4.RC4 encryption (0x17) on TGT requests for Domain Admin or krbtgt accounts in an environment that should use AES is anomalous — Kerberos tools and attack frameworks often default to RC4 for compatibility.
  5. 5.Disabled or non-existent accounts requesting TGTs (Result Code 0x12 or 0x6) in volume from one IP: account enumeration or attempting to authenticate with credentials for decommissioned accounts.
  6. 6.Correlate Account Name with your AD inventory: Golden Ticket attacks can specify arbitrary account names, including names that do not exist in Active Directory. A 4769 with an Account Name not in AD is near-certain Golden Ticket activity.

Related Event IDs

4769Kerberos service ticket — absence of a matching 4768 before 4769 = Golden Ticket indicator
4771Kerberos pre-auth failed — failed TGT requests; complements 4768 for brute-force detection
4624Successful logon — the logon event that follows a successful TGT + service ticket exchange
4672Special privileges — privileged Kerberos sessions trigger 4672 alongside 4624
4625NTLM failed logon — if 4768 volume drops but auth attempts continue, check for NTLM fallback

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4768

See Event ID 4768 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos authentication ticket (tgt) requested patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →