Event ID 4768 — A Kerberos authentication ticket (TGT) was requested.
Description
A Kerberos authentication ticket (TGT) was requested.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Supplied_Realm_Name | [Account Information] Supplied Realm Name. |
User_ID | [Account Information] User ID. |
Service_Name | [Service Information] Service Name. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. Bitmask flags
|
Result_Code | [Additional Information] Result Code. Known values
|
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. Known values
|
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. Known values
|
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4768,
"version": 0,
"level": 0,
"task": 14339,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-22T20:29:36.414827Z",
"event_record_id": 887107,
"correlation": {},
"execution": {
"process_id": 568,
"thread_id": 2476
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "HD01",
"TargetDomainName": "CONTOSO.COM",
"TargetSid": "S-1-0-0",
"ServiceName": "krbtgt/CONTOSO.COM",
"ServiceSid": "S-1-0-0",
"TicketOptions": "0x10",
"Status": "0x6",
"TicketEncryptionType": "0xffffffff",
"PreAuthType": "-",
"IpAddress": "172.16.66.1",
"IpPort": "55961",
"CertIssuerName": "",
"CertSerialNumber": "",
"CertThumbprint": ""
}
}
Detection Patterns #
Defense Evasion: Domain Accounts
Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.
1 rule
Community Notes #
Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential AS-REP Roasting via Kerberos TGT Requests source medium: Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
- PetitPotam Suspicious Kerberos TGT Request source high: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Splunk # view in reference
- Kerberos TGT Request Using RC4 Encryption source: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.
- Kerberos User Enumeration source: The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.
- PetitPotam Suspicious Kerberos TGT Request source: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.
Show 5 more (8 total)
- Windows Computer Account Requesting Kerberos Ticket source: The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos source: The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.
- Windows Multiple Invalid Users Fail To Authenticate Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.
Kusto Query Language # view in reference
- Certified Pre-Owned - TGTs requested with certificate authentication source medium: This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx