Event ID 4776 — The domain controller attempted to validate the credentials for an account.
Description
The computer attempted to validate the credentials for an account.
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | Authentication Package. |
TargetUserName UnicodeString | Logon Account. |
Workstation UnicodeString | Source Workstation. |
Status HexInt32 | Error Code. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4776,
"version": 0,
"level": 0,
"task": 14336,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:48:22.599068+00:00",
"event_record_id": 388,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-E519-7BDD9E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 3868
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"TargetUserName": "Administrator",
"Workstation": "WIN-FPV0DSIC9O6",
"Status": "0x0"
},
"message": ""
}
Detection Patterns #
Community Notes #
This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).
The Status field is an NTSTATUS code indicating the credential validation result:
| Code | Name | Description |
|---|---|---|
| 0x00000000 | STATUS_SUCCESS | Credentials validated successfully |
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure (bad username or password) |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Account disabled |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Account expired |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Password expired |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Outside allowed logon hours |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Not allowed from this workstation |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC00002DB | STATUS_NTLM_BLOCKED | NTLM blocked by policy |
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM source: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.
- Windows Multiple Users Failed To Authenticate From Host Using NTLM source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
Show 1 more (4 total)
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
- Example event sourced from https://github.com/NextronSystems/evtx-baseline