EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4770Audit SuccessSecurityT1558.001

Windows Event ID 4770Kerberos Service Ticket Renewed

Fires on the domain controller when a Kerberos service ticket (TGS) is renewed. Kerberos tickets have a maximum lifetime (typically 10 hours) and a renewal window (typically 7 days) — within the renewal window, a client can extend a ticket without returning to the KDC for a new one. Renewal events are routine in active long-running sessions; their security value lies in the ticket properties, particularly encryption type and whether the renewing account matches expected session context.

MITRE ATT&CK

Technique

T1558.001 · Golden Ticket

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

Golden Tickets can be renewed indefinitely because they are signed with the krbtgt hash, not issued by a live KDC that enforces ticket policy. A legitimate TGS expires and is re-requested (4769); a forged Golden Ticket is simply renewed (4770) without a corresponding new 4768 TGT issuance. A 4770 renewal for a privileged account using RC4 encryption, or a renewal chain with no anchoring 4768 in the same session, is a supplemental Golden Ticket indicator. 4770 completes the Kerberos cluster alongside 4768 (TGT), 4769 (TGS), and 4771 (pre-auth failed).

Key Fields

Account NameThe account whose service ticket is being renewed — mismatch with the expected user session context is suspicious
Service NameThe service the renewed ticket grants access to — unexpected service names (krbtgt itself, LDAP on a DC) for a regular user account warrant investigation
Ticket Encryption TypeExpected: 0x12 (AES256) or 0x11 (AES128). Suspicious: 0x17 (RC4-HMAC) for modern accounts or privileged identities — RC4 on a renewal indicates a downgrade or forged ticket
Ticket OptionsRenewal flag 0x40800000 indicates a renewable ticket being exercised; review alongside the ticket lifetime to assess if renewal frequency is anomalous

Investigation Tips

  1. 1.RC4 encryption (0x17) in a 4770 renewal for a domain admin or privileged account on a modern environment — Kerberos should be AES256. RC4 renewals for privileged accounts are a Golden Ticket or overpass-the-hash indicator.
  2. 2.4770 renewal with no corresponding 4768 TGT issuance in the same logon session — a forged Golden Ticket does not need a real TGT from the KDC; the renewal appears without the original issuance. Correlate on Account Name and Client IP across 4768 and 4770.
  3. 3.Renewal of a ticket for a non-existent or deleted account — Golden Tickets can be created for any account name, including accounts that no longer exist in AD. Query AD for the Account Name in the 4770; if the account is absent, it is a strong forgery indicator.
  4. 4.High-frequency renewals from a single client IP — attackers maintaining persistent access via a forged ticket will renew it repeatedly; a spike in 4770 events for one account from one IP is anomalous.
  5. 5.Service Name = krbtgt in a 4770 — the krbtgt account should never appear as a service in a renewal; this indicates misuse of the ticket-granting ticket infrastructure.

Related Event IDs

4768Kerberos TGT request — anchors the session; absence before a 4770 suggests a forged ticket
4769Kerberos service ticket request — initial TGS issuance; 4770 renews what 4769 created
4771Kerberos pre-authentication failed — failed attempts preceding a 4770 from the same IP = credential probing before renewal
4624Successful logon — correlate Logon ID with ticket renewals to establish session context

Frequently Asked Questions

What does Event ID 4770 mean and when does it fire?
Event 4770 fires on the domain controller when a Kerberos service ticket (TGS) is renewed. Kerberos tickets expire after a set lifetime (default 10 hours in most domains). Rather than requesting a new ticket each time, clients can renew the existing ticket within the renewal window (default 7 days) without re-authenticating. This is a normal operation for long-running sessions — a user who stays logged into a file share or application across multiple hours will generate 4770 events as their tickets renew. The event is expected and low-priority unless the ticket properties (encryption type, account name, service name) are anomalous.
How does Event ID 4770 help detect Golden Ticket attacks?
Golden Tickets are forged Kerberos TGTs signed with the krbtgt password hash. Because the attacker controls the ticket, they can set the lifetime to anything — attackers typically use 10 years. Legitimate tickets expire and require fresh issuance (new 4768 + 4769 sequence). Golden Tickets are simply renewed (4770) without a new TGT being issued (no 4768). Detection: look for 4770 renewal events for a privileged account where no 4768 TGT issuance exists in the same logon session. Also look for renewals with RC4 encryption (0x17) for accounts that should be using AES256 — attackers often forge RC4 tickets because they are simpler to construct.
What is the difference between Event ID 4769 and Event ID 4770?
Event 4769 fires when a client requests a new Kerberos service ticket (TGS) for the first time to access a specific service. Event 4770 fires when a client renews an existing service ticket that is about to expire. Think of 4769 as 'I need a ticket to access this service' and 4770 as 'I need to extend the ticket I already have.' In a normal session, you see one 4769 and potentially multiple 4770s over time. In a Golden Ticket attack, you may see 4770s with no corresponding 4769 (the ticket was forged, not legitimately issued) or renewals that continue far beyond normal session lengths.
Is Event ID 4770 with RC4 encryption always malicious?
Not always, but it is a strong indicator in modern environments. Legacy systems (pre-Windows 2008 servers, some third-party Kerberos clients) may still use RC4. If your environment has no legacy systems and you see 4770 with Ticket Encryption Type 0x17 (RC4-HMAC) for a modern domain account — especially a privileged account — treat it as suspicious and investigate. RC4 is specifically used in some Golden Ticket forgeries and overpass-the-hash attacks because it is simpler to implement with a raw NTLM hash. Enforce AES-only Kerberos via domain policy to eliminate RC4 as a legitimate baseline and make 4770 RC4 detections unambiguous.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4770

See Event ID 4770 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects kerberos service ticket renewed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →