A replay attack was detected
Kerberos or NTLM authentication detected a replayed authenticator or ticket.
Event ID 4649 triggers when the Local Security Authority detects an authenticator timestamp or Kerberos ticket that has already been submitted within the replay cache window. This alerts directly to network replay attacks, Pass-the-Ticket, or man-in-the-middle credential injection.
Failure Reason / Root Cause:
Duplicate Kerberos ticket/authenticator detected by domain controller replay cache.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4649</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.868Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A replay attack was detected -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1550.003 | Use Alternate Authentication Material: Pass the Ticket | Lateral Movement |
Recommended actions
- Immediately isolate the source IP address and target user account.
- Investigate potential Pass-the-Ticket (`T1550.003`) or adversary interception across the local network segment.