A Kerberos authentication ticket (TGT) was requested
A Kerberos Ticket Granting Ticket (TGT) was requested from the Domain Controller KDC.
Event ID 4768 is logged on Domain Controllers during initial domain authentication when a user requests a TGT (`AS-REQ`). Failure entries (`Result Code: 0x6` username not found, `0x18` bad password, `0x12` account disabled/locked) reveal Kerberos brute-force or password spraying across the domain.
Failure Reason / Root Cause:
Initial user domain login, or Kerberos password spraying (`Result Code: 0x18`).
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.907Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A Kerberos authentication ticket (TGT) was requested -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1110.003 | Brute Force: Password Spraying | Credential Access |
T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Credential Access |
Recommended actions
- Monitor for high volumes of Event ID 4768 with `Result Code: 0x18` originating from single client IP addresses across many usernames.
- Track `Ticket Encryption Type` to ensure legacy RC4 (`0x17`) is being phased out in favor of AES-256 (`0x12`).