Windows Security Log Event ID 4649

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Logon/Logoff
 • Other Logon/Logoff Events
Type Success
Corresponding events
in Windows 2003
and before		  

4649: A replay attack was detected

On this page

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4649

A replay attack was detected.

Subject:
   Security ID:  %1
   Account Name:  %2
   Account Domain:  %3
   Logon ID:  %4
Credentials Which Were Replayed:
   Account Name:  %5
   Account Domain:  %6
Process Information:
   Process ID:  %12
   Process Name:  %13
Network Information:
   Workstation Name: %10
Detailed Authentication Information:
   Request Type:  %7
   Logon Process:  %8
   Authentication Package: %9
   Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!