Event ID 4649 (A replay attack was detected)

Anonymous
2024-07-25T09:31:22+00:00

I am trying to generate Event ID 4649 (A replay attack was detected) for testing purpose. I've tried to use different tools to generate but failed to do so. Can anyone guide me or give me a documentation to generate it?

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Anonymous
    2024-07-25T12:50:56+00:00

    Hello 1357A,

    Thank you for posting in Microsoft Community forum.

    Generating specific event IDs like Event ID 4649, which indicates a replay attack was detected, can be tricky since it involves mimicking specific conditions typically related to security and network traffic.

    Here are some general steps and tips that may help you in generating this event for testing purposes:

    1.Understand the Event ID: First, ensure you understand the conditions under which Event ID 4649 is generated. This event is related to detecting replay attacks, which occur when a valid data transmission is maliciously or fraudulently repeated.

    2.Use Audit Policies: Make sure that the relevant audit policies are enabled on the system. You would typically find them under "Audit Kerberos Authentication Service" and "Audit other logon/logoff Events" in your Local Security Policy or Group Policy Editor.

    3.Simulate a Replay Attack: You need to simulate a replay attack. This generally involves capturing and reusing Kerberos tickets:

    Network Traffic Capture: Use tools like Wireshark to capture Kerberos tickets.

    Replay Tools: Use tools designed for replay attacks to resend the captured tickets to the server.

    1. Lab Environment: Set up a controlled lab environment to avoid any unintentional disruptions or violations of security policies. Ensure this environment mimics your intended production environment as closely as possible.

    5.Documentation and Tools:

    Microsoft Documentation: Refer to the document below for detailed information about Event ID 4649.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments No comments
  2. Anonymous
    2024-07-26T04:32:42+00:00

    I've tried to use the above mentioned points and unable simulate replay attack. Not sure where I am going wrong. Can you give me any reference of how I can do it?

    0 comments No comments
  3. Anonymous
    2024-07-26T09:21:35+00:00

    Hello

    Good day!

    I am sorry, currently, I do not know how to generate the event ID, either.

    In my opinion it seems it is difficult to generate this event ID.
    And the official document also say, "There is no example of this event in this document".

    https://answers-afd.microsoft.com/static/images/image-not-found.jpg
    4649(S) A replay attack was detected. - Windows 10 | Microsoft Learn

    However, based on my research, I will see below:

    If the server name, client name, time, and microsecond fields from the Authenticator match are found in the recent entries of the cache, a KRB_AP_ERR_REPEAT Kerbeors response is sent to the client. The sending of this response triggers event ID 4649, which is registered by the corresponding domain controller.

    This event could occur potentially due to the same packets being sent by a misconfigured network device between the server and the client.

    And here you can "Understanding How Kerberos Authentication Protects Against Replay Attacks" better.

    Understanding Kerberos & Replay Attacks (itprotoday.com)

    And here two persons had encountered such event ID.

    kerberos - A replay attack was detected (4649) & Exchange Healthmailbox - Information Security Stack Exchange

    exploit - A Replay Attack was Detected (4649) on DC and File Server - How should I investigate this? - Information Security Stack Exchange

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    https://answers-afd.microsoft.com/static/images/image-not-found.jpg

    0 comments No comments
  4. Anonymous
    2024-07-30T09:17:13+00:00

    Any specific document or guide only for Replay attack, because the attacks in the above links dosen't specify how to simulate 4649 or Replay attack

    0 comments No comments
  5. Anonymous
    2024-07-31T08:16:21+00:00

    Hello

    Good day!

    Thank you for reply. I apologize that I've run out of ideas and am unsure how to simulate 4649 or Replay attack.

    We have looked very carefully at this concern and even consulted my colleagues on it. I think our team has reached its limit. We would like to suggest that you repost in Questions - Microsoft Q&A, aims to support more advanced users like you.  

    Thank you for your understanding and support. 

    Best regards, 

    Daisy Zhou

    0 comments No comments