Kerberos Authentication Events (4768/4769/4771)
Location
C:\Windows\System32\winevt\Logs\Security.evtx (Domain Controllers)Description
Kerberos protocol events from domain controller Security logs: Event 4768 (TGT requested), Event 4769 (service ticket requested), Event 4771 (Kerberos pre-authentication failed), and Event 4770 (TGT renewed).
Forensic Value
Kerberos events are essential for detecting identity-based attacks in Active Directory environments. Event 4769 with encryption type 0x17 (RC4) for service accounts indicates Kerberoasting attacks harvesting crackable service tickets. Event 4768 with unusual encryption types or from unexpected IPs detects Golden Ticket usage. Event 4771 failure codes identify password spray campaigns targeting domain accounts. These events are only logged on domain controllers.
Tools Required
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Security.evtx" --csv C:\output --csvf Security_Kerberos.csv
PowerShell
Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4768,4769,4771} | Export-Csv C:\output\kerberos_events.csvDeepBlueCLI
powershell .\DeepBlue.ps1 "C:\Windows\System32\winevt\Logs\Security.evtx"
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Incident Responder Credentials Compromised
The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.
Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Attacker Living Off the Land with Native Binaries
The attacker relies on legitimate system binaries (PowerShell, certutil, bitsadmin, regsvr32, rundll32, mshta, wmic) for execution and lateral movement. File-reputation and signature-based detection fails because the binaries are legitimate; detection must shift to behavioral anomaly, parent-child process analysis, and command-line context.