A Kerberos service ticket was requested
A Kerberos service ticket (TGS) was requested from the Domain Controller Key Distribution Center (KDC).
Event ID 4769 is logged on Domain Controllers whenever an authenticated user account requests a Kerberos Ticket Granting Service (TGS) ticket to access a domain resource (such as a file share, SQL database, or HTTP service). While this occurs thousands of times during normal network operations, an abnormal burst of 4769 requests requesting tickets for many SPNs with RC4 encryption (`Ticket Encryption Type: 0x17`) is the primary signature of a **Kerberoasting** attack.
Failure Reason / Root Cause:
Normal domain resource authentication, or Kerberoasting attacks targeting Service Principal Names (SPNs) for offline password cracking.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.908Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A Kerberos service ticket was requested -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
Recommended actions
- Monitor for high-frequency Event ID 4769 requests generated by a single user account across dozens of unique Service Principal Names within minutes.
- Alert on Kerberos requests specifying `Ticket Encryption Type: 0x17` (RC4-HMAC) when AES (`0x12` or `0x13`) is the domain standard.
- Audit user accounts with SPNs to ensure they use strong, complex passwords greater than 25 characters.