Windows SecurityAuthenticationEnhanced Analysis

Event 4771: Kerberos pre-authentication failed.

Quick Answer

Event 4771 is generated when Kerberos pre-authentication fails on a domain controller, typically indicating invalid username, incorrect password, or disabled account login attempts. This event is essential for detecting password spraying attacks, brute force attempts against Active Directory accounts, and reconnaissance activities where attackers enumerate valid usernames.

Technical Details

Windows Security Source

Event ID: 4771

Windows Security- Authentication

Event Description

Kerberos pre-authentication failed.

Key Log Fields

  • TargetUserName - Account name for which pre-auth failed
  • ServiceName - Service name (typically krbtgt)
  • IpAddress - Source IP address
  • IpPort - Source port
  • FailureCode - Kerberos error code (0x12=invalid password, 0x18=account disabled)
  • PreAuthType - Pre-authentication type attempted
  • TicketOptions - Ticket options requested

MITRE ATT&CK® Mapping (2)

T1110credential-access
Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.

T1558.004credential-access
AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014) For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)

Event Comparison

Event 4771 specifically tracks Kerberos pre-authentication failures, while Event 4625 captures all types of logon failures including NTLM. Event 4776 monitors NTLM authentication failures. Monitor all three for comprehensive authentication failure visibility.

What This Event Means

Event 4771 provides early warning of authentication attacks targeting Active Directory through failed Kerberos pre-authentication. Unlike Event 4625 (failed logons) which captures various authentication failures, Event 4771 specifically tracks Kerberos AS-REQ failures before full authentication occurs. This event is generated on domain controllers when clients request Kerberos tickets but fail pre-authentication, making it valuable for detecting password spraying (low-frequency password attempts across many accounts), brute force attacks (high-frequency attempts against specific accounts), and username enumeration. The failure code field indicates the specific reason for failure - wrong password (0x18), no such user (0x6), account disabled (0x12), or password expired (0x17). Attackers performing external reconnaissance often trigger thousands of Event 4771 entries while attempting to identify valid accounts.

Security Implications

  • Password spraying attacks detected through widespread 0x18 (wrong password) failures across multiple accounts from single source IPs
  • Credential stuffing attempts visible when attackers test compromised credentials from external breaches against Active Directory
  • Username enumeration reconnaissance generating 0x6 (no such user) failures as attackers probe for valid account names
  • Kerberoasting preparation when attackers intentionally trigger failures while requesting service principal tickets
  • APT28 (Fancy Bear) and Iranian APT groups frequently conduct password spraying campaigns generating mass Event 4771 failures

Detection Strategies

Implement threshold-based detection for multiple Event 4771 failures from single source IPs within sliding time windows (e.g., >10 failures in 10 minutes indicates possible brute force). Monitor for password spraying patterns characterized by single failures across many different accounts from the same source. Alert on unusual failure codes like 0x6 (user not found) suggesting reconnaissance or typosquatting attacks. Correlate Event 4771 with Event 4625 and Event 4768 (successful Kerberos ticket requests) to identify accounts transitioning from failed to successful authentication. Track source IP addresses and geolocations for failures originating from unexpected countries or known malicious infrastructure. Monitor service accounts and administrative accounts for any authentication failures, as these should rarely fail in legitimate use.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • APT28 password spraying: Attackers generated thousands of Event 4771 failures with code 0x18 across executive accounts using common passwords like 'Summer2023!' and 'Company123'

  • External reconnaissance campaign: Automated tooling generated Event 4771 failures with code 0x6 as attackers enumerated valid usernames by testing firstname.lastname combinations

  • Kerberoasting attack preparation: Attackers intentionally triggered Event 4771 while using Rubeus to request service tickets for accounts with SPNs before offline cracking

  • Insider threat investigation: Terminated employee's remote access attempts generated Event 4771 code 0x12 (account disabled) from external VPN IP after account deactivation

Contents