4649

A replay attack was detected

Kerberos or NTLM authentication detected a replayed authenticator or ticket.

Event ID 4649 triggers when the Local Security Authority detects an authenticator timestamp or Kerberos ticket that has already been submitted within the replay cache window. This alerts directly to network replay attacks, Pass-the-Ticket, or man-in-the-middle credential injection.

Failure Reason / Root Cause:

Duplicate Kerberos ticket/authenticator detected by domain controller replay cache.

CategoryLogon/Logoff
Audit typeSuccess Audit
SeverityCritical
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywords4649, replay attack, kerberos replay, pass the ticket, authenticator duplicate
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4649</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.868Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to A replay attack was detected -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1550.003Use Alternate Authentication Material: Pass the TicketLateral Movement

Recommended actions

Related events