EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4769Audit SuccessSecurityT1558.003

Windows Event ID 4769Kerberos Service Ticket Requested

Logged on the domain controller each time a client requests a Kerberos Service Ticket (TGS) to access a specific service. Every Kerberos-authenticated connection to a file share, SQL server, web app, or other domain resource generates a 4769. Volume is high in healthy environments — the security signal comes from the encryption type, the requesting account pattern, and the services being targeted.

MITRE ATT&CK

Technique

T1558.003 · Kerberoasting

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4769 is the primary detection surface for two major credential attacks. Kerberoasting: an attacker with any domain account requests service tickets for accounts with SPNs, then cracks the RC4-encrypted ticket offline. Golden Ticket: a forged TGT (created using the krbtgt hash) is used to request service tickets — the giveaway is RC4 encryption or a non-existent Account Name in the 4769 event. Both attacks generate 4769 events that look nearly identical to legitimate traffic at the protocol level, making field-level analysis essential.

Key Fields

Account NameThe account requesting the ticket — check if it exists in AD; Golden Tickets can specify non-existent accounts
Service NameThe SPN of the service being accessed — bulk requests for many different SPNs from one account = Kerberoasting
Ticket Encryption Type0x17 (RC4-HMAC) is the cracking target; modern environments use AES (0x11, 0x12). RC4 for a service account = Kerberoasting; RC4 for a privileged account = possible Golden Ticket
Client AddressSource workstation — all bulk requests from a single IP in quick succession are high-confidence Kerberoasting
Ticket OptionsUnusual flag combinations (e.g. 0x40810000) can indicate forged ticket requests
Failure Code0x0 = success; non-zero codes indicate errors that may reveal reconnaissance activity

Investigation Tips

  1. 1.Kerberoasting pattern: single Account Name requesting TGS tickets for 5+ different SPNs within minutes, all with Ticket Encryption Type 0x17 (RC4).
  2. 2.Golden Ticket pattern: Account Name does not exist in Active Directory, OR no preceding Event 4768 (TGT request) on the DC for the same account — Golden Tickets bypass TGT issuance.
  3. 3.Filter for non-machine-account service names (SPNs without the $ suffix) — user and service accounts with SPNs are the Kerberoasting targets.
  4. 4.Legitimate app servers (SharePoint, SQL, IIS) request TGS for many services — baseline normal patterns per server before alerting on volume.
  5. 5.Check Ticket Encryption Type 0x17 on privileged accounts (Domain Admins, krbtgt) specifically — these should use AES256 in modern domains.

Related Event IDs

4768Kerberos TGT request — absence of 4768 before a 4769 suggests a Golden Ticket
4770Kerberos service ticket renewal — forged tickets may show abnormal renewal patterns
4771Kerberos pre-auth failed — brute-force or password stuffing against Kerberos accounts
4672Special privileges assigned — privileged sessions from forged tickets trigger 4672
4624Successful logon — trace the session that used the forged or cracked ticket

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4769

See Event ID 4769 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos service ticket requested patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →