EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4771Audit FailureSecurityT1110

Windows Event ID 4771Kerberos Pre-authentication Failed

Logged on the domain controller when Kerberos pre-authentication fails — effectively the Kerberos equivalent of Event ID 4625. Fires when a client submits an incorrect password, targets a non-existent account, or attempts authentication against a locked or disabled account via the Kerberos protocol.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4771 is the primary Kerberos brute-force and password spray indicator. Unlike NTLM failures (Event 4625), 4771 fires specifically on domain controllers for Kerberos authentication — which means high-volume 4771 events targeting domain accounts from a single IP point directly at credential attacks against Active Directory. Failure code 0x18 (bad password) in bulk is the clearest signal. 4771 is also useful for detecting Kerberos enumeration: failure code 0x6 (no such user) reveals whether an attacker is probing for valid account names before attempting passwords.

Key Fields

Account NameThe account targeted by the failed authentication — bulk failures against the same account = brute force; many different accounts = password spray
Failure Code0x18 = bad password (most common for brute force); 0x6 = no such user (enumeration); 0x17 = password expired; 0x12 = account disabled/locked; 0x25 = clock skew too great (Kerberos requires clock sync within 5 minutes)
Client AddressSource IP — bulk failures from a single IP across many accounts = password spray; bulk failures from many IPs against one account = distributed attack
Pre-Authentication TypeThe pre-auth method used — type 2 is standard password; unexpected values may indicate non-standard tools

Investigation Tips

  1. 1.Bulk 4771 with failure code 0x18 from a single Client Address = Kerberos brute-force. Same pattern across many Account Names = password spray.
  2. 2.Failure code 0x6 (no such user) in volume from one IP = account enumeration — attacker is probing for valid usernames before launching credential attacks.
  3. 3.Correlate with 4768 (TGT request) from the same account and Client Address — a successful 4768 shortly after 4771 failures confirms a credential was cracked.
  4. 4.Check for Event 4740 (account lockout) on accounts with high 4771 volume — lockouts confirm brute-force is triggering the lockout threshold.
  5. 5.4771 does not fire for NTLM authentication — if you see a suspicious IP but no 4771, check 4625 for NTLM-protocol failures from the same source.
  6. 6.Clock skew errors (0x25) from unexpected hosts can indicate an attacker trying to authenticate from a machine outside your time synchronization boundary.

Related Event IDs

4625NTLM failed logon — same attack via NTLM protocol rather than Kerberos
4768Kerberos TGT request — successful authentication after 4771 failures confirms credential compromise
4740Account lockout — follows high-volume 4771 failures when lockout threshold is hit
4776NTLM credential validation — alternative failed auth event for non-Kerberos environments
4624Successful logon — confirms attacker gained access after credential attack

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4771

See Event ID 4771 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos pre-authentication failed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →