{
  "id": "4769",
  "source": "windows_security",
  "category": "Kerberos",
  "name": "A Kerberos service ticket was requested",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4769 records a Kerberos service-ticket request on a domain controller and is central to detecting anomalous service access and Kerberoasting patterns.",
  "trigger_scenarios": "The event is logged whenever a client requests a ticket for a service principal name. A normal user session may generate several requests as it accesses file servers, web applications, and other Kerberos-enabled services.",
  "key_fields": [
    {
      "field": "Account Name",
      "explanation": "The user or computer account requesting the service ticket. Assess whether the requester is expected to access the target service."
    },
    {
      "field": "Service Name",
      "explanation": "The SPN for the requested service. Requests for many distinct or high-value service accounts can reveal enumeration or ticket collection."
    },
    {
      "field": "Client Address",
      "explanation": "The client IP address observed by the domain controller. It helps identify the source device conducting unusual service-ticket activity."
    },
    {
      "field": "Ticket Encryption Type",
      "explanation": "The encryption type used for the service ticket. RC4 requests for service accounts can be relevant when investigating Kerberoasting exposure."
    }
  ],
  "false_positives": [
    "Application servers and middleware may request many service tickets during normal operation.",
    "Inventory, backup, and monitoring accounts often access broad sets of services.",
    "Legacy service accounts can legitimately use RC4 until the environment is remediated."
  ],
  "related_event_ids": [
    "4768",
    "4770",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1558.003",
      "technique_name": "Steal or Forge Kerberos Tickets: Kerberoasting"
    },
    {
      "technique_id": "T1021",
      "technique_name": "Remote Services"
    }
  ],
  "detection_notes": "T1558.003 Kerberoasting is indicated when Ticket Encryption Type is 0x17 (RC4-HMAC) for a service SPN in an AES-only domain. RC4 service tickets are cheaper to crack offline than AES tickets. Treat broad SPN collection as a hunting pattern rather than a Microsoft threshold: tune locally, for example Client Address requesting more than 20 distinct Service Name values in one hour, then validate the requester against known application, backup, and monitoring accounts.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4769\n| summarize ServiceCount = dcount(ServiceName), Requests = count() by IpAddress, TargetAccount, bin(TimeGenerated, 1h)\n| where ServiceCount > 20\n| order by ServiceCount desc",
  "spl_snippet": "index=wineventlog EventCode=4769\n| bucket _time span=1h\n| stats dc(Service_Name) as service_count count by _time, Client_Address, Account_Name\n| where service_count > 20",
  "sample_log": "Account Name: jsmith@CORP.EXAMPLE\nService Name: MSSQLSvc/sql01.corp.example:1433\nClient Address: 10.x.x.x\nTicket Encryption Type: 0x12\nFailure Code: 0x0",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769",
  "route": "/windows-events/4769/",
  "canonical_url": "https://soceventlookup.com/windows-events/4769/",
  "json_url": "/api/events/windows-security/4769.json"
}
