EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4769Audit SuccessSecurityT1558.003

Windows Event ID 4769Kerberos Service Ticket Requested

Logged on the domain controller each time a client requests a Kerberos Service Ticket (TGS) to access a specific service. Every Kerberos-authenticated connection to a file share, SQL server, web app, or other domain resource generates a 4769. Volume is high in healthy environments — the security signal comes from the encryption type, the requesting account pattern, and the services being targeted.

MITRE ATT&CK

Technique

T1558.003 · Kerberoasting

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4769 is the primary detection surface for two major credential attacks. Kerberoasting: an attacker with any domain account requests service tickets for accounts with SPNs, then cracks the RC4-encrypted ticket offline. Golden Ticket: a forged TGT (created using the krbtgt hash) is used to request service tickets — the giveaway is RC4 encryption or a non-existent Account Name in the 4769 event. Both attacks generate 4769 events that look nearly identical to legitimate traffic at the protocol level, making field-level analysis essential.

Key Fields

Account NameThe account requesting the ticket — check if it exists in AD; Golden Tickets can specify non-existent accounts
Service NameThe SPN of the service being accessed — bulk requests for many different SPNs from one account = Kerberoasting
Ticket Encryption Type0x17 (RC4-HMAC) is the cracking target; modern environments use AES (0x11, 0x12). RC4 for a service account = Kerberoasting; RC4 for a privileged account = possible Golden Ticket
Client AddressSource workstation — all bulk requests from a single IP in quick succession are high-confidence Kerberoasting
Ticket OptionsUnusual flag combinations (e.g. 0x40810000) can indicate forged ticket requests
Failure Code0x0 = success; non-zero codes indicate errors that may reveal reconnaissance activity

Investigation Tips

  1. 1.Kerberoasting pattern: single Account Name requesting TGS tickets for 5+ different SPNs within minutes, all with Ticket Encryption Type 0x17 (RC4).
  2. 2.Golden Ticket pattern: Account Name does not exist in Active Directory, OR no preceding Event 4768 (TGT request) on the DC for the same account — Golden Tickets bypass TGT issuance.
  3. 3.Filter for non-machine-account service names (SPNs without the $ suffix) — user and service accounts with SPNs are the Kerberoasting targets.
  4. 4.Legitimate app servers (SharePoint, SQL, IIS) request TGS for many services — baseline normal patterns per server before alerting on volume.
  5. 5.Check Ticket Encryption Type 0x17 on privileged accounts (Domain Admins, krbtgt) specifically — these should use AES256 in modern domains.

Detection Logic

Microsoft Sentinel (KQL) — detect Kerberoasting via RC4 service ticket requests, and volume-based spray (one account requesting 5+ tickets in 5 min).

// Kerberoasting: RC4 service ticket requests targeting SPN accounts
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName !endswith "$"
| where ServiceName != "krbtgt"
| project TimeGenerated, TargetAccount, ServiceName, IpAddress, Computer
| sort by TimeGenerated desc

// Volume-based Kerberoasting: one account requesting 5+ RC4 tickets within 5 min
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| summarize TicketCount=count(), Services=make_set(ServiceName)
    by TargetAccount, bin(TimeGenerated, 5m)
| where TicketCount >= 5
| sort by TimeGenerated desc

Seeing Event ID 4769 in your own logs? Upload an .evtx file — EventPeeker flags kerberos service ticket requested automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4768Kerberos TGT request — absence of 4768 before a 4769 suggests a Golden Ticket
4770Kerberos service ticket renewal — forged tickets may show abnormal renewal patterns
4771Kerberos pre-auth failed — brute-force or password stuffing against Kerberos accounts
4672Special privileges assigned — privileged sessions from forged tickets trigger 4672
4624Successful logon — trace the session that used the forged or cracked ticket

Go deeper: the full Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide

See Event ID 4769 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos service ticket requested patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →