Windows Security Log Event ID 4649

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Logon/Logoff
 • Other Logon/Logoff Events
Type Success
Corresponding events
in Windows 2003
and before		  

4649: A replay attack was detected

On this page

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 4649

A replay attack was detected.

Subject:
   Security ID:  %1
   Account Name:  %2
   Account Domain:  %3
   Logon ID:  %4
Credentials Which Were Replayed:
   Account Name:  %5
   Account Domain:  %6
Process Information:
   Process ID:  %12
   Process Name:  %13
Network Information:
   Workstation Name: %10
Detailed Authentication Information:
   Request Type:  %7
   Logon Process:  %8
   Authentication Package: %9
   Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!