4648 A logon was attempted using explicit credentials
Written when an account attempts a logon by explicitly specifying another account’s credentials. Because it captures “impersonate someone else” actions like runas or PsExec, it is a heavily-used event for detecting lateral movement.
Overview
The subcategory is Audit Logon. It is generated when a process attempts a logon while explicitly specifying the target account’s credentials. It is typical of batch-style configurations such as scheduled tasks and of the RUNAS command, while it also has a routine side, occurring periodically during normal OS activity. The key point is that it records both “who (Subject)” and “whose credentials were used (Account Whose Credentials Were Used).”
How it is triggered
- Running a process as another account with
runas. - Connections involving explicit credentials, via scheduled tasks (
SchTasks), PsExec, WinRM, SMB, and so on. - It is also recorded when password spraying is run on that machine.
Security review points
- Attackers heavily use this action for lateral movement (spreading to other machines after intrusion). Using stolen credentials with
runas/ PsExec leaves a 4648, making it a strong lead for lateral movement. - Focus on the pairing of
Subject\Security ID(who acted) andAccount Whose Credentials Were Used(the owner of the credentials used). If a subject that should not know or use those credentials is using them, it is suspicious. - Investigate a
Process Nameoutside standard folders or containing a suspicious name such asmimikatz. ANetwork Addressoutside the internal allowed-IP list deserves attention. A burst of 4648 on a workstation in a short time (say, more than 100 in one minute) suggests spraying or automation. - It can be correlated with the 4624 of the same session and with Kerberos 4769 via
Logon GUID.
Notes for log review
- It occurs routinely with legitimate automation such as scheduled tasks and services, so baseline out and exclude those aimed at
localhost(::1/127.0.0.1) or driven by known legitimate processes. - The high-value cases are “a hands-on
runas/ remote execution that used another account’s credentials.” Narrow down by the three points of source, executing process, and the account used.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that performed the action |
Account Whose Credentials Were Used | The owner of the credentials actually used |
Target Server Name | The destination server; localhost if local |
Process Name | The process run with explicit credentials |
Network Address / Port | The source of the attempt |