Windows Event ID 4769: A Kerberos service ticket was requested
Windows Security Event ID 4769 records a Kerberos service-ticket request on a domain controller and is central to detecting anomalous service access and Kerberoasting patterns.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is logged whenever a client requests a ticket for a service principal name. A normal user session may generate several requests as it accesses file servers, web applications, and other Kerberos-enabled services.
Key Fields
Account Name
The user or computer account requesting the service ticket. Assess whether the requester is expected to access the target service.
Service Name
The SPN for the requested service. Requests for many distinct or high-value service accounts can reveal enumeration or ticket collection.
Client Address
The client IP address observed by the domain controller. It helps identify the source device conducting unusual service-ticket activity.
Ticket Encryption Type
The encryption type used for the service ticket. RC4 requests for service accounts can be relevant when investigating Kerberoasting exposure.
Common False Positives
- Application servers and middleware may request many service tickets during normal operation.
- Inventory, backup, and monitoring accounts often access broad sets of services.
- Legacy service accounts can legitimately use RC4 until the environment is remediated.
Related Events
MITRE ATT&CK Mapping
- T1558.003Steal or Forge Kerberos Tickets: Kerberoasting
- T1021Remote Services
Detection Notes
T1558.003 Kerberoasting is indicated when Ticket Encryption Type is 0x17 (RC4-HMAC) for a service SPN in an AES-only domain. RC4 service tickets are cheaper to crack offline than AES tickets. Treat broad SPN collection as a hunting pattern rather than a Microsoft threshold: tune locally, for example Client Address requesting more than 20 distinct Service Name values in one hour, then validate the requester against known application, backup, and monitoring accounts.
SecurityEvent
| where EventID == 4769
| summarize ServiceCount = dcount(ServiceName), Requests = count() by IpAddress, TargetAccount, bin(TimeGenerated, 1h)
| where ServiceCount > 20
| order by ServiceCount descindex=wineventlog EventCode=4769
| bucket _time span=1h
| stats dc(Service_Name) as service_count count by _time, Client_Address, Account_Name
| where service_count > 20Account Name: jsmith@CORP.EXAMPLE
Service Name: MSSQLSvc/sql01.corp.example:1433
Client Address: 10.x.x.x
Ticket Encryption Type: 0x12
Failure Code: 0x0