ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Cybersecurity monitoring center showing Windows security event analysis and authentication monitoring dashboards
Event ID 4649WarningMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4649 – Microsoft-Windows-Security-Auditing: A replay attack was detected

Event ID 4649 indicates Windows detected a potential Kerberos replay attack where authentication credentials were reused maliciously. This security audit event requires immediate investigation to prevent unauthorized access.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4649Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4649 represents one of Windows most sophisticated security detection mechanisms, specifically designed to identify Kerberos replay attacks in Active Directory environments. When this event fires, it means the Windows Security Auditing subsystem has detected authentication credentials being reused in a manner consistent with a replay attack scenario.

Replay attacks occur when an attacker intercepts valid authentication credentials (typically Kerberos tickets) and attempts to reuse them to gain unauthorized access to network resources. Unlike password-based attacks, replay attacks use legitimate credentials that have been captured through network sniffing, man-in-the-middle attacks, or other interception methods.

The Windows Kerberos implementation includes several anti-replay mechanisms including timestamp validation, sequence number checking, and authentication context verification. When these mechanisms detect anomalies suggesting credential replay, Event ID 4649 is generated. The event includes detailed information about the suspected replay attempt, including source IP addresses, target services, and timing information that security teams can use for investigation.

This event is particularly significant in 2026 as hybrid cloud environments and remote work scenarios have increased the attack surface for credential interception. Modern threat actors frequently use sophisticated replay attack techniques as part of lateral movement strategies within compromised networks.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Kerberos ticket replay attacks where intercepted tickets are reused for unauthorized access
  • Network-based man-in-the-middle attacks capturing and replaying authentication tokens
  • Malicious software attempting to reuse cached credentials from compromised systems
  • Time synchronization issues causing legitimate authentication requests to appear as replays
  • Network latency or packet duplication causing authentication requests to be processed multiple times
  • Compromised service accounts with credentials being replayed across multiple systems
  • Advanced persistent threat (APT) activities using credential replay for lateral movement
  • Misconfigured network equipment causing authentication packet duplication
Resolution Methods

Troubleshooting Steps

01

Analyze Security Event Details

Start by examining the specific details of the Event ID 4649 occurrence to understand the scope and nature of the detected replay attack.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4649 using the filter option
  3. Double-click the most recent 4649 event to view details
  4. Document the following key information:
    • Source IP address of the suspected attack
    • Target service or resource being accessed
    • User account involved in the replay attempt
    • Timestamp and frequency of occurrences
  5. Use PowerShell to extract detailed event information:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4649} -MaxEvents 20 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Review the event message for specific details about the authentication context and replay detection triggers.

02

Investigate Network Time Synchronization

Time synchronization issues can cause legitimate authentication requests to be flagged as replay attacks. Verify NTP configuration and time accuracy across your domain.

  1. Check domain controller time synchronization status:
w32tm /query /status
w32tm /query /peers
  1. Verify time synchronization on the affected client systems:
w32tm /query /computer:CLIENT-NAME /status
  1. Check for time drift between domain controllers:
Get-ADDomainController -Filter * | ForEach-Object { Write-Host "$($_.Name): $((Get-Date) - (Get-Date (Invoke-Command -ComputerName $_.Name -ScriptBlock {Get-Date})))" }
  1. If time drift is detected, force time synchronization:
w32tm /resync /force
Pro tip: Time differences greater than 5 minutes between domain controllers and clients can trigger false positive replay attack detections.
03

Analyze Authentication Patterns and Source IPs

Examine authentication patterns to distinguish between legitimate authentication issues and actual replay attacks by analyzing source IP addresses and authentication frequency.

  1. Extract and analyze source IP addresses from Event ID 4649 occurrences:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4649} -MaxEvents 100
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    $SourceIP = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SourceIP = $SourceIP
        Message = $_.Message
    }
} | Group-Object SourceIP | Sort-Object Count -Descending
  1. Check for suspicious authentication patterns from specific IP addresses:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4624,4625,4649)} -MaxEvents 500 | Where-Object {$_.Message -like '*192.168.1.100*'} | Select-Object TimeCreated, Id, Message
  1. Investigate network connectivity and routing to identify potential man-in-the-middle scenarios
  2. Cross-reference suspicious IP addresses with threat intelligence feeds and internal network documentation
  3. Review firewall logs for unusual traffic patterns from flagged IP addresses
Warning: Do not immediately block IP addresses showing Event ID 4649 without thorough investigation, as legitimate systems with time sync issues may be flagged.
04

Implement Enhanced Kerberos Security Monitoring

Deploy advanced monitoring and security measures to better detect and prevent actual replay attacks while reducing false positives.

  1. Enable additional Kerberos auditing policies through Group Policy:
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAccount Logon
  3. Enable Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations
  4. Configure PowerShell monitoring for comprehensive authentication analysis:
# Create a monitoring script for continuous Event ID 4649 analysis
$ScriptBlock = {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4649; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue
    if ($Events) {
        $Events | ForEach-Object {
            $XML = [xml]$_.ToXml()
            Write-EventLog -LogName Application -Source "Custom Security Monitor" -EventId 9001 -EntryType Warning -Message "Potential replay attack detected: $($_.Message)"
        }
    }
}
Register-ScheduledTask -TaskName "Monitor-ReplayAttacks" -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-WindowStyle Hidden -Command $ScriptBlock")
  1. Configure registry settings for enhanced Kerberos security:
Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "MaxClockSkew" -Value 300 -Type DWord
Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "MaxRenewAge" -Value 604800 -Type DWord
05

Incident Response and Forensic Analysis

When Event ID 4649 indicates a genuine replay attack, implement comprehensive incident response procedures to contain the threat and gather forensic evidence.

  1. Immediately isolate affected systems and change compromised account passwords:
# Reset password for potentially compromised account
Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewComplexPassword123!" -Force)
# Force logoff all sessions for the compromised account
Get-ADUser "username" | Set-ADUser -Replace @{userAccountControl="514"} # Disable account temporarily
  1. Collect comprehensive forensic evidence:
# Export all security events related to the incident
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4624,4625,4648,4649,4672); StartTime=$StartTime; EndTime=$EndTime} | Export-Csv -Path "C:\Forensics\SecurityEvents_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation
  1. Analyze network traffic captures if available using tools like Wireshark or Network Monitor
  2. Review Active Directory replication logs for signs of credential theft:
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; Id=@(1644,1645)} -MaxEvents 100
  1. Implement immediate containment measures:
  2. Block suspicious IP addresses at firewall level
  3. Force Kerberos ticket renewal across the domain
  4. Enable additional monitoring on critical service accounts
  5. Document all findings and coordinate with security team for threat hunting activities
Warning: During active replay attack incidents, avoid making configuration changes that might alert attackers to your detection capabilities.

Overview

Event ID 4649 fires when Windows Security Auditing detects a potential Kerberos replay attack. This occurs when the system identifies that previously captured authentication credentials are being reused in an attempt to gain unauthorized access. The event is part of Windows advanced security auditing and indicates that someone may be attempting to replay intercepted Kerberos tickets or authentication tokens.

This event typically appears in the Security log on domain controllers and member servers when Kerberos authentication replay detection mechanisms identify suspicious authentication patterns. The detection relies on timestamp validation, sequence numbers, and authentication context analysis to identify potentially malicious credential reuse.

Unlike standard authentication failures, Event ID 4649 specifically targets replay attacks where valid credentials are being misused rather than invalid credentials being attempted. This makes it a critical security indicator that requires immediate attention from security teams and system administrators.

Frequently Asked Questions

What exactly is a replay attack that triggers Event ID 4649?+
A replay attack occurs when an attacker intercepts valid Kerberos authentication credentials (tickets or tokens) and attempts to reuse them to gain unauthorized access to network resources. Event ID 4649 fires when Windows detects this credential reuse through its anti-replay mechanisms, which analyze timestamps, sequence numbers, and authentication context to identify suspicious patterns. Unlike brute force attacks that use invalid credentials, replay attacks exploit legitimate credentials that have been captured through network interception or system compromise.
Can time synchronization issues cause false positive Event ID 4649 alerts?+
Yes, time synchronization problems are a common cause of false positive Event ID 4649 alerts. Windows Kerberos authentication relies heavily on timestamp validation to prevent replay attacks. When domain controllers and client systems have significant time differences (typically more than 5 minutes), legitimate authentication requests may be flagged as potential replays. This occurs because the authentication timestamps appear to be from the past or future, triggering the anti-replay detection mechanisms. Always verify NTP synchronization across your domain when investigating Event ID 4649.
How can I distinguish between legitimate time sync issues and actual replay attacks?+
To distinguish between time sync issues and real attacks, examine several factors: First, check if multiple systems from the same IP range are generating Event ID 4649 simultaneously, which suggests time sync problems. Second, verify time synchronization status using w32tm commands on affected systems. Third, analyze the frequency and pattern of events - time sync issues typically affect many users at once, while replay attacks usually target specific accounts or services. Fourth, review the authentication success/failure patterns - legitimate time sync issues often show successful authentications mixed with 4649 events, while replay attacks may show more suspicious access patterns.
What immediate actions should I take when Event ID 4649 indicates a genuine replay attack?+
When facing a genuine replay attack, take these immediate steps: First, isolate the affected systems from the network to prevent lateral movement. Second, reset passwords for all potentially compromised accounts and force immediate logoff of active sessions. Third, disable the compromised accounts temporarily while investigating. Fourth, block suspicious IP addresses at the firewall level. Fifth, force Kerberos ticket renewal across the domain to invalidate any stolen tickets. Sixth, collect forensic evidence including security event logs, network traffic captures, and system memory dumps. Finally, coordinate with your security team to initiate threat hunting activities and determine the scope of the compromise.
How can I prevent replay attacks that trigger Event ID 4649 in my environment?+
Prevent replay attacks through multiple security layers: First, ensure proper network segmentation and use encrypted communication protocols (HTTPS, SMB signing, IPSec) to prevent credential interception. Second, implement strict time synchronization policies with NTP to ensure accurate timestamp validation. Third, configure shorter Kerberos ticket lifetimes and renewal intervals to limit the window for replay attacks. Fourth, deploy network monitoring solutions to detect suspicious authentication patterns and man-in-the-middle attacks. Fifth, use privileged access management (PAM) solutions for administrative accounts. Sixth, implement multi-factor authentication where possible to add additional security layers beyond Kerberos tickets.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including authentication monitoring and Kerberos security events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Kerberos Authentication Technical ReferenceTechnical documentation covering Kerberos authentication mechanisms, security features, and anti-replay protection in Windows environments.https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4649#security-auditing#kerberos-attacks

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...