🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Event IDs
  3. Authentication / Account

4771 - Kerberos Failure

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

Event ID 4771 is a critical event in Windows security auditing, indicating a Kerberos pre-authentication failure. This event is logged on the domain controller that receives the pre-authentication request and plays a vital role in monitoring and diagnosing issues related to Kerberos authentication processes. Understanding the details and substatus codes of Event ID 4771 is crucial for identifying authentication issues, potential attack vectors, and maintaining secure access controls.

Key Details of Event ID 4771

  • Log Location: Security log on domain controllers.

  • Category: Audit Kerberos Authentication Service

  • Level: Failure Audit.

When It Is Logged

Event ID 4771 is logged when a Kerberos pre-authentication request fails. This can occur in various scenarios, such as:

  • Incorrect user password entries.

  • Attacks attempting to guess passwords.

  • Configuration or communication issues between the client and the domain controller.

Information Contained in the Log

An Event ID 4771 log contains several pieces of information crucial for diagnosing authentication issues:

  • Client Address: Shows the IP address of the client from which the logon attempt was made.

  • Client Port: Indicates the port number used by the client machine for the connection.

  • Pre-authentication Type: Specifies the type of pre-authentication used, often indicating the use of passwords (type 2).

  • Failure Code: A key element that specifies why the pre-authentication failed.

  • User Name: The name of the user for whom the logon attempt was made.

  • Service Name: The name of the service that was requested, typically the Kerberos Ticket Granting Service (TGS).

  • Ticket Options: Specifies various flags related to the ticket that was requested.

Common Failure Codes and Their Meanings

Understanding the failure codes provided in Event ID 4771 logs is essential for diagnosing and addressing authentication issues:

  • 0x18: Pre-authentication information was invalid. This often indicates an incorrect password was entered.

  • 0x12: Account restrictions are preventing this user from signing in. For example: not allowed to log in from this computer, logon hours restrictions, or account disabled.

  • 0x25: The user has to reset their password.

  • 0x1F: An unspecified error has occurred.

Importance for Security

Event ID 4771 is instrumental in security monitoring for several reasons:

  • Detecting Brute-Force Attacks: Multiple 4771 events with failure code 0x18 from the same client address may indicate a brute-force password guessing attack.

  • Identifying Configuration Issues: Failures related to account restrictions (code 0x12) can highlight misconfigurations that may inadvertently prevent legitimate access.

  • Password Attack Detection: An unusually high volume of 4771 events across various accounts might signal a more extensive password spray attack.

Tools and Strategies for Analysis

  • Windows Event Viewer: Manually inspect the Security log on domain controllers for 4771 events.

  • PowerShell: Automate the extraction and analysis of 4771 events from domain controllers' logs.

  • SIEM Systems: Aggregate and correlate 4771 events with other security logs to detect patterns indicative of attacks or systemic issues.

PreviousSubstatus CodesNext4768

Last updated 1 year ago

Was this helpful?