Event ID 4649 — A replay attack was detected.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

A replay attack was detected.

Message #

A replay attack was detected.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Credentials Which Were Replayed:
	Account Name: %5
	Account Domain: %6

Process Information:
	Process ID: %12
	Process Name: %13

Network Information:
	Workstation Name: %10

Detailed Authentication Information:
	Request Type: %7
	Logon Process: %8
	Authentication Package: %9
	Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

Fields #

Name	Description
`Security_ID` SID	[Subject] Security ID.
`Account_Name` UnicodeString	[Subject] Account Name.
`Account_Domain` UnicodeString	[Subject] Account Domain.
`Logon_ID` HexInt64	[Subject] Logon ID.
`Account_Name` UnicodeString	[Credentials Which Were Replayed] Account Name.
`Account_Domain` UnicodeString	[Credentials Which Were Replayed] Account Domain.
`Request_Type` UnicodeString	[Detailed Authentication Information] Request Type.
`Logon_Process` UnicodeString	[Detailed Authentication Information] Logon Process.
`Authentication_Package` UnicodeString	[Detailed Authentication Information] Authentication Package.
`Workstation_Name` UnicodeString	[Network Information] Workstation Name.
`Transited_Services` UnicodeString	[Detailed Authentication Information] Transited Services.
`Process_ID` Pointer	[Process Information] Process ID.
`Process_Name` UnicodeString	[Process Information] Process Name.
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`TargetUserName` UnicodeString	[Credentials Which Were Replayed] Account Name
`TargetDomainName` UnicodeString	[Credentials Which Were Replayed] Account Domain
`RequestType` UnicodeString	[Detailed Authentication Information] Request Type
`LogonProcessName` UnicodeString	[Detailed Authentication Information] Logon Process
`AuthenticationPackage` UnicodeString	[Detailed Authentication Information] Authentication Package
`WorkstationName` UnicodeString	[Network Information] Workstation Name
`TransmittedServices` UnicodeString	[Detailed Authentication Information] Transited Services
`ProcessId` Pointer	[Process Information] Process ID
`ProcessName` UnicodeString	[Process Information] Process Name

Community Notes #

Alerts when a copied ticket is reused.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Replay Attack Detected source high: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4649