Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4649 - A replay attack was detected.
EventID 4649 - A replay attack was detected.

Find more information about this event on ultimatewindowssecurity.com.
        A replay attack was detected.

        Security ID:		%1
        Account Name:		%2
        Account Domain:		%3
        Logon ID:		%4

        Credentials Which Were Replayed:
        Account Name:		%5
        Account Domain:		%6

        Process Information:
        Process ID:		%12
        Process Name:		%13

        Network Information:
        Workstation Name:	%10

        Detailed Authentication Information:
        Request Type:		%7
        Logon Process:		%8
        Authentication Package:	%9
        Transited Services:	%11

        This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory Other Logon/Logoff Events
EventId 4649
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Subject: Account Name Name of the account that initiated the action. InsertionString2
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4
Subject: Security ID InsertionString1
Credentials Which Were Replayed: Account Name InsertionString5
Credentials Which Were Replayed: Account Domain InsertionString6
Process Information: Process ID InsertionString12
Process Information: Process Name InsertionString13
Network Information: Workstation Name InsertionString10
Detailed Authentication Information: Request Type InsertionString7
Detailed Authentication Information: Logon Process InsertionString8
Detailed Authentication Information: Authentication Package InsertionString9
Detailed Authentication Information: Transited Services InsertionString11
You must be logged in to comment