detection.wiki

Microsoft-Windows-Security-Auditing › Event 4770

Event ID 4770 — A Kerberos service ticket was renewed.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Account Logon → Kerberos Service Ticket Operations
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

A Kerberos service ticket was renewed.

Message #

A Kerberos service ticket was renewed.

Account Information:
	Account Name: %1
	Account Domain: %2

Service Information:
	Service Name: %3
	Service ID: %4

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %5
	Ticket Encryption Type: %6

Ticket options and encryption types are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeString[Account Information] Account Name
TargetDomainName UnicodeString[Account Information] Account Domain
ServiceName UnicodeString[Service Information] Service Name
ServiceSid SID[Service Information] Service ID
TicketOptions HexInt32[Additional Information] Ticket Options
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Renewable
0x00800000
Opt-hardware-auth
0x00400000
Canonicalize
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32[Additional Information] Ticket Encryption Type
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xFFFFFFFF
Unspecified
IpAddress UnicodeString[Network Information] Client Address
IpPort UnicodeString[Network Information] Client Port
Account_Name UnicodeString[Account Information] Account Name.
Account_Domain UnicodeString[Account Information] Account Domain.
Service_Name UnicodeString[Service Information] Service Name.
Service_ID SID[Service Information] Service ID.
Ticket_Options HexInt32[Additional Information] Ticket Options.
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Renewable
0x00800000
Opt-hardware-auth
0x00400000
Canonicalize
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Ticket_Encryption_Type HexInt32[Additional Information] Ticket Encryption Type.
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xFFFFFFFF
Unspecified
Client_Address UnicodeString[Network Information] Client Address.
Client_Port UnicodeString[Network Information] Client Port.
RequestTicketHash UnicodeString
ResponseTicketHash UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4770,
    "version": 0,
    "level": 0,
    "task": 14337,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-07T02:29:17.564406+00:00",
    "event_record_id": 13430760,
    "correlation": {},
    "execution": {
      "process_id": 916,
      "thread_id": 2888
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "LAB-DC01$@LUDUS.DOMAIN",
    "TargetDomainName": "LUDUS.DOMAIN",
    "ServiceName": "krbtgt",
    "ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
    "TicketOptions": "0x10002",
    "TicketEncryptionType": "0x12",
    "IpAddress": "::1",
    "IpPort": "0"
  },
  "message": ""
}

References #