4768 A Kerberos authentication ticket (TGT) was requested
Written when the KDC issues a Kerberos TGT (Ticket Granting Ticket). It is the starting point of domain authentication and a core event usable to detect AS-REP roasting and account enumeration.
Overview
The subcategory is Audit Kerberos Authentication Service. It is generated whenever the KDC (Key Distribution Center: the authentication service on a DC) issues a TGT, recorded only on domain controllers. It includes the requesting account, source IP, ticket encryption type, and pre-authentication type. Note that on Windows Server 2016 and later, applying the January 14, 2025 or later cumulative update switches the event to an updated format.
How it is triggered
- When a user/computer logs on to the domain and obtains a TGT.
- A failure (F) appears for reasons other than pre-authentication (such as an unknown username). Pre-authentication failure is recorded by 4771.
Security review points
- AS-REP roasting: a 4768 with
Pre-Authentication Typeof0(no pre-auth) is the condition for this attack targeting accounts with pre-auth disabled. The attacker obtains the encrypted part of the AS-REP and cracks the password offline. An encryption type of0x17(RC4) makes cracking easy. - Anomalous encryption type: in a modern environment where AES is the default, a TGT with
Ticket Encryption Typeof0x17(RC4) is suspicious. Suspect a downgrade or abuse of an old implementation. - Account enumeration: a burst of failed 4768 with nonexistent usernames in a short time suggests username brute force (enumeration). Aggregate by source IP.
Notes for log review
- DCs produce these in volume from legitimate logons. The event only works as attack detection once narrowed by conditions like
Pre-Authentication Type = 0orRC4 (0x17). - Use source IP, target account, encryption type, and pre-auth type as correlation axes. Combine with service tickets 4769 and pre-auth failures 4771.
Key fields
| Field | Meaning |
|---|---|
Account Name / Account Domain | The account that requested the TGT |
Client Address | The requesting IP |
Ticket Encryption Type | The encryption type; 0x17 (RC4) is notable, 0x12 is AES256 |
Pre-Authentication Type | 0 means no pre-auth, the condition for AS-REP roasting |
Result Code | The success/failure reason code |
Glossary
- TGT (Ticket Granting Ticket) — the “ticket for getting tickets” obtained first at logon. It is used to request service tickets 4769.
- AS-REP roasting — an attack that obtains the response of a pre-auth-disabled account and cracks the password offline.