SIEM - Detect Replay Attack in Windows System
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.
In windows infrastracture event id 4649 is generated on domain controller when KRB_AP_ERR_REPEAT Kerberos response was sent to the client. This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB_AP_ERR_REPEAT.
A replay attack was detected.
Credentials Which Were Replayed:
Detailed Authentication Information:
Note: It is to be noted that this event could be generated because of network misconfiguration or routing problems. Given any cases it is still recommended to investigate whenever this event occurs.