detection.wiki

Microsoft-Windows-Security-Auditing › Event 4648

Event ID 4648 — A logon was attempted using explicit credentials.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Logon/Logoff → Logon
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

A logon was attempted using explicit credentials.

Message #

A logon was attempted using explicit credentials.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Logon GUID: %5

Account Whose Credentials Were Used:
	Account Name: %6
	Account Domain: %7
	Logon GUID: %8

Target Server:
	Target Server Name: %9
	Additional Information: %10

Process Information:
	Process ID: %11
	Process Name: %12

Network Information:
	Network Address: %13
	Port: %14

This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID.
SubjectUserName UnicodeString[Subject] Account Name.
SubjectDomainName UnicodeString[Subject] Account Domain.
SubjectLogonId HexInt64[Subject] Logon ID.
LogonGuid GUID[Subject] Logon GUID.
TargetUserName UnicodeString[Account Whose Credentials Were Used] Account Name.
TargetDomainName UnicodeString[Account Whose Credentials Were Used] Account Domain.
TargetLogonGuid GUID[Account Whose Credentials Were Used] Logon GUID.
TargetServerName UnicodeString[Target Server] Target Server Name.
TargetInfo UnicodeString[Target Server] Additional Information.
ProcessId Pointer[Process Information] Process ID.
ProcessName UnicodeString[Process Information] Process Name.
IpAddress UnicodeString[Network Information] Network Address.
IpPort UnicodeString[Network Information] Port.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4648,
    "version": 0,
    "level": 0,
    "task": 12544,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:29.161457+00:00",
    "event_record_id": 2767,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "LogonGuid": "00000000-0000-0000-0000-000000000000",
    "TargetUserName": "DWM-1",
    "TargetDomainName": "Window Manager",
    "TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
    "TargetServerName": "localhost",
    "TargetInfo": "localhost",
    "ProcessId": "0x2e0",
    "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
    "IpAddress": "-",
    "IpPort": "-"
  },
  "message": ""
}

Detection Patterns #

Community Notes #

Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Splunk # view in reference

  • Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.
  • Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.

References #