Skip to content

4769 A Kerberos service ticket was requested

Written when the KDC issues a Kerberos service ticket (TGS). It is the most important Kerberos monitoring event, usable to detect Kerberoasting (cracking service-account passwords).

Overview

The subcategory is Audit Kerberos Service Ticket Operations. It is generated whenever the KDC receives and issues a service ticket (TGS) request for a specific service (SPN: Service Principal Name). It includes the requesting account, target service name, encryption type, and source IP. Note that on Windows Server 2016 and later, the January 14, 2025 or later cumulative update switches the event to an updated format.

How it is triggered

  • When a user uses a TGT (4768) to request the service ticket needed to access a particular service.
  • It occurs constantly during legitimate resource access (file shares, SQL, HTTP, and so on).

Security review points

  • Kerberoasting: an attacker requests many tickets for SPN-bearing service accounts and cracks the encrypted part offline to recover the password. A service-ticket request with Ticket Encryption Type of 0x17 (RC4) is a red flag in a modern AES-default environment; attackers often deliberately request the more crackable RC4.
  • Note patterns such as one account requesting tickets for many different SPNs in a short time, or requests for the SPN of krbtgt or high-value service accounts.
  • Also check the Failure Code (such as 0x1b). Correlate with the TGT 4768 to track the requesting user’s full activity.

Notes for log review

  • It is a normal event produced in huge volume on DCs and service servers. It becomes Kerberoasting detection only with narrowing to RC4 (0x17) and the correlation of “one user requesting many SPNs in a short time.”
  • Standardizing the environment to AES-only makes RC4 requests themselves stand out as anomalies, improving detection precision.

Key fields

FieldMeaning
Account NameThe account that requested the service ticket
Service Name / Service IDThe target service (SPN)
Ticket Encryption Type0x17 (RC4) is a Kerberoasting red flag; 0x12 is AES256
Client AddressThe requesting IP
Failure CodeThe failure reason

Glossary

  • Kerberoasting — an attack that obtains tickets for SPN-bearing service accounts and cracks the password offline. Service accounts with weak passwords are the target.
  • SPN (Service Principal Name) — a name that uniquely identifies a service; it is the destination of a ticket request.

References