EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4771Audit FailureSecurityT1110

Windows Event ID 4771Kerberos Pre-authentication Failed

Logged on the domain controller when Kerberos pre-authentication fails — effectively the Kerberos equivalent of Event ID 4625. Fires when a client submits an incorrect password, targets a non-existent account, or attempts authentication against a locked or disabled account via the Kerberos protocol.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4771 is the primary Kerberos brute-force and password spray indicator. Unlike NTLM failures (Event 4625), 4771 fires specifically on domain controllers for Kerberos authentication — which means high-volume 4771 events targeting domain accounts from a single IP point directly at credential attacks against Active Directory. Failure code 0x18 (bad password) in bulk is the clearest signal. 4771 is also useful for detecting Kerberos enumeration: failure code 0x6 (no such user) reveals whether an attacker is probing for valid account names before attempting passwords.

Key Fields

Account NameThe account targeted by the failed authentication — bulk failures against the same account = brute force; many different accounts = password spray
Failure Code0x18 = bad password (most common for brute force); 0x6 = no such user (enumeration); 0x17 = password expired; 0x12 = account disabled/locked; 0x25 = clock skew too great (Kerberos requires clock sync within 5 minutes)
Client AddressSource IP — bulk failures from a single IP across many accounts = password spray; bulk failures from many IPs against one account = distributed attack
Pre-Authentication TypeThe pre-auth method used — type 2 is standard password; unexpected values may indicate non-standard tools

Investigation Tips

  1. 1.Bulk 4771 with failure code 0x18 from a single Client Address = Kerberos brute-force. Same pattern across many Account Names = password spray.
  2. 2.Failure code 0x6 (no such user) in volume from one IP = account enumeration — attacker is probing for valid usernames before launching credential attacks.
  3. 3.Correlate with 4768 (TGT request) from the same account and Client Address — a successful 4768 shortly after 4771 failures confirms a credential was cracked.
  4. 4.Check for Event 4740 (account lockout) on accounts with high 4771 volume — lockouts confirm brute-force is triggering the lockout threshold.
  5. 5.4771 does not fire for NTLM authentication — if you see a suspicious IP but no 4771, check 4625 for NTLM-protocol failures from the same source.
  6. 6.Clock skew errors (0x25) from unexpected hosts can indicate an attacker trying to authenticate from a machine outside your time synchronization boundary.

Detection Logic

Microsoft Sentinel (KQL) — detect Kerberos brute force (bulk 0x18 failures) and account enumeration (bulk 0x6 failures from one source).

// Kerberos brute force: 10+ bad-password failures against one account in 5 min
SecurityEvent
| where EventID == 4771
| where FailureCode == "0x18"
| summarize FailCount=count() by TargetAccount, IpAddress, bin(TimeGenerated, 5m)
| where FailCount >= 10
| sort by TimeGenerated desc

// Account enumeration: one IP generating 5+ "no such user" failures in 10 min
SecurityEvent
| where EventID == 4771
| where FailureCode == "0x6"
| summarize Accounts=dcount(TargetAccount) by IpAddress, bin(TimeGenerated, 10m)
| where Accounts >= 5
| extend Alert = "Kerberos enumeration — probing for valid account names"
| sort by TimeGenerated desc

Seeing Event ID 4771 in your own logs? Upload an .evtx file — EventPeeker flags kerberos pre-authentication failed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4625NTLM failed logon — same attack via NTLM protocol rather than Kerberos
4768Kerberos TGT request — successful authentication after 4771 failures confirms credential compromise
4769Kerberos service ticket request — follows successful TGT; correlate account and IP across both
4770Kerberos service ticket renewal — if 4771 failures precede a 4770 renewal from same IP, credential probing before renewal
4740Account lockout — follows high-volume 4771 failures when lockout threshold is hit
4776NTLM credential validation — alternative failed auth event for non-Kerberos environments
4624Successful logon — confirms attacker gained access after credential attack

Go deeper: the full Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Kerberos Attacks (Kerberoasting, AS-REP Roasting) guide

See Event ID 4771 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos pre-authentication failed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →