Event ID 4649

A replay attack was detected 

A replay attack was detected.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Credentials Which Were Replayed:
    Account Name:       %5
    Account Domain:     %6

Process Information:
    Process ID:         %12
    Process Name:       %13

Network Information:
    Workstation Name:   %10

Detailed Authentication Information:
    Request Type:       %7
    Logon Process:      %8
    Authentication Package: %9
    Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.


This event generates on domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the client. Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB_AP_ERR_REPEAT. It can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems causing the same packets to be sent repeatedly. In all cases it is recommend to trigger an alert and investigate the reason the event was generated.

Auditing:     Always


Volume:     Low


CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.3
PCI 3.2.1: 10.2.4
HIPAA: 164.308 (a)(5)(ii)(C)


Microsoft Documentation

Event ID - 4649



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any
Account Name SubjectUserName %2 Any
Account Domain SubjectDomainName %3 Any
Logon ID SubjectLogonId %4 Any
Account Name TargetUserName %5 Any DESKTOP17$
Account Domain TargetDomainName %6 Any thedomain.local
Request Type RequestType %7 Any KRB_AP_REQ
Logon Process LogonProcessName %8 Any Kerberos
Authentication Package AuthenticationPackageName %9 Any Kerberos
Workstation Name WorkstationName %10 Any -
Transited Services TransmittedServices %11 Any -
Process ID ProcessId %12 Any 0xc619efd618
Process Name ProcessName %13 Any C:\Windows\System32\dns.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Logon/Logoff Events"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2008 Windows 2012 Windows 2019 Windows 2022

Tags:
Domain Controller Audit Success Audit Failure PCI-DSS HIPAA CJIS ISO 27001:2013
Audit Category:
Logon/Logoff

Audit Subcategory:
Other Logon/Logoff Events

LEFT/RIGHT arrow keys for navigation

Back to List