Event ID: 4649
A replay attack was detectedA replay attack was detected. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Credentials Which Were Replayed: Account Name: %5 Account Domain: %6 Process Information: Process ID: %12 Process Name: %13 Network Information: Workstation Name: %10 Detailed Authentication Information: Request Type: %7 Logon Process: %8 Authentication Package: %9 Transited Services: %11 This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.
Microsoft Documentation
This event generates on domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the client. It can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases it is recommend to trigger an alert and investigate the reason the event was generated.
Lookup Audit Policy Configuration Settings
Operating Systems:
Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2008 Windows 2012 Windows 2019Tags:
Domain ControllerLEFT/RIGHT arrow keys for navigation
Back to List