4649 A replay attack was detected
Written when a domain controller detects a Kerberos replay (a resend of an identical request) and returns KRB_AP_ERR_REPEAT. It can mean an attack or a network fault.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated on a domain controller (the server that governs network authentication). The DC caches information from recently received tickets; if the server name, client name, time, and microsecond fields match a recent entry, it treats it as a replay and returns KRB_AP_ERR_REPEAT (RFC 1510). It requires an Active Directory domain controller.
How it is triggered
- When an identical authentication request (Authenticator) arrives twice.
- A non-attack cause is a misconfigured network device between client and server that resends the same packets repeatedly.
Security review points
- It can be a sign of a
replay attack (capturing legitimate authentication data and resending it as-is to get through authentication). If it occurs, raising an alert and investigating the cause is recommended. - That said, it often appears due to network device configuration or routing problems. Separate attack from device-induced causes using the origin (
Workstation Name, the clients/servers involved).
Notes for log review
- One-off or sporadic occurrences are likely network-induced. Repetition on a specific path or device suggests a configuration problem.
- If it concentrates on a particular account or service, prioritize the possibility of an attack and scrutinize it together with related Kerberos events (4768 / 4769).
Key fields
| Field | Meaning |
|---|---|
Credentials Which Were Replayed\Account Name | The account of the replayed credentials |
Workstation Name | The originating workstation name |
Request Type / Authentication Package | The request type and authentication method |