SOC Event Lookup
Event ID 4768KerberosP1

Windows Event ID 4768: A Kerberos authentication ticket (TGT) was requested

Event ID 4768 records a Kerberos ticket-granting ticket (TGT) request handled by a domain controller. Its Pre-Authentication Type is the primary log-based signal for AS-REP Roasting.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-11

Trigger Scenarios

A domain controller logs the event on every TGT request, whether it succeeds, fails pre-authentication, or is rejected for policy reasons such as an unknown principal or disabled account.

Key Fields

Pre-Authentication Type

A value of 0 means the KDC issued a TGT without encrypted-timestamp pre-authentication. This occurs only when the account has the 'Do not require Kerberos preauthentication' flag and is the exact condition AS-REP Roasting uses.

Ticket Encryption Type

0x11 and 0x12 are AES128 and AES256; 0x17 is RC4-HMAC; 0x1 and 0x3 are legacy DES. RC4 is cheaper to crack offline, while DES should not appear in a hardened domain.

Account Name

The principal requesting the TGT. Compare privileged, service, and dormant accounts with the reviewed preauthentication-exception list.

Failure Code

0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) against many accounts from one source indicates username enumeration or a password-spray precursor.

Common False Positives

  • A small, documented set of legacy service accounts can have preauthentication disabled for compatibility.
  • Normal workstation logons and service restarts generate high volumes of fully pre-authenticated 4768 events.
  • VPN reconnects and expired cached tickets can create expected bursts.

Related Events

MITRE ATT&CK Mapping

  • T1558.004Steal or Forge Kerberos Tickets: AS-REP Roasting
  • T1110.003Brute Force: Password Spraying

Detection Notes

Pre-Authentication Type = 0 for an account outside the reviewed exception list makes T1558.004 AS-REP Roasting possible: an attacker can request a TGT without a password and crack its encrypted portion offline. Alert on every non-exempt occurrence. In an AES-only domain, 0x17 (RC4) or DES is independently suspicious because it weakens offline cracking resistance. A burst of Failure Code 0x6 against distinct account names from one source is a T1110.003 password-spraying or enumeration precursor; correlate it with 4625 and 4771.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4768
| where PreAuthType == "0"
| project TimeGenerated, Computer, TargetAccount, IpAddress, TicketEncryptionType, PreAuthType
Splunk SPL
index=wineventlog EventCode=4768 Pre_Authentication_Type=0
| table _time, host, Account_Name, Client_Address, Ticket_Encryption_Type
Sample Log
Account Name: [email protected]
Client Address: 10.x.x.x
Ticket Encryption Type: 0x17
Pre-Authentication Type: 0
Failure Code: 0x0

Source