Event ID 4776 - The computer attempted to validate the credentials for an account
Log Sample:
{
"EventTime": "2017/11/17 04:04:12"
"Hostname": "MPWXDC2.changeme.local"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4776
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 14336
"OpcodeValue": 0
"RecordNumber": 484069365
"ProcessID": 564
"ThreadID": 680
"Channel": "Security"
"Message": "The computer attempted to validate the credentials for an account."
"Category": "Credential Validation"
"Opcode": "Info"
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
"TargetUserName": "C Jack"
"Workstation": "DELL-LT-12"
"Status": "0x0"
"EventReceivedTime": "2017/11/17 04:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
General Description
- Logged every time that a credential validation occurs using NTLM authentication.
- Occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- Shows successful and unsuccessful credential validation attempts.
- Shows only the computer name (Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.
- If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.
Advantage
- On domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
- This event also generates when a workstation unlock event occurs.
However, if you wish to monitor local account logon attempts, use event “4624. Also, this event does not generate when a domain account logs on locally to a domain controller.
Other Details
- TargetUserName: the name of the account that had its credentials validated by the Authentication Package. Can be user name, computer account name or well-known security principal account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
- Workstation: the name of the computer from which the logon attempt originated.
- Error Code: contains error code for Failure events. For Success events this parameter has “0x0” value. The table below contains most common error codes for this event:
| Error Code | Description |
| 0xC0000064 | The username you typed does not exist. Bad username. |
| 0xC000006A | Account logon with misspelled or bad password. |
| 0xC000006D | - Generic logon failure. |
| 0xC000006F | Account logon outside authorized hours. |
| 0xC0000070 | Account logon from unauthorized workstation. |
| 0xC0000071 | Account logon with expired password. |
| 0xC0000072 | Account logon to account disabled by administrator. |
| 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. |
| 0xC0000234 | Account logon with account locked. |
| 0xc0000371 | The local account store does not contain secret material for the specified account. |
| 0x0 | No errors. |
No comments:
Post a Comment