Skip to content

4776 The computer attempted to validate the credentials for an account (NTLM)

Written whenever credentials are validated via NTLM authentication. It is a cornerstone of authentication monitoring, usable to detect password spraying, brute force, and pass-the-hash over the NTLM path.

Overview

The subcategory is Audit Credential Validation. It is generated when credentials are validated via NTLM (the older Windows authentication protocol). Local-account validation is recorded on that machine; domain-account validation on the domain controller that handles authentication. The success/failure reason appears in Error Code.

How it is triggered

  • NTLM authentication (local logon, file shares, legacy apps, and so on).
  • The failure reason appears in Error Code. Common examples:
    • 0xC000006A wrong password (correct username + wrong password)
    • 0xC0000064 nonexistent username
    • 0xC0000234 locked out

Security review points

  • Password spraying/brute force over NTLM: watch whether 0xC000006A failures occur from a single source across many accounts (spraying) or consecutively against a single account (brute force). Together with Kerberos 4771, it is one of the two pillars of authentication-failure monitoring.
  • Pass-the-hash: NTLM authentication with a stolen hash remains as a success 4776. Note anomalies such as a Source Workstation that differs from usual, or a service account authenticating from an unexpected machine. Correlate with network logon 4624 (Type 3, NTLM).
  • Heavy NTLM use in a modern environment is itself a weakness (not having moved to Kerberos) and a path attackers favor.

Notes for log review

  • It appears in volume on domain controllers. Using Error Code, Source Workstation, and target account as axes, correlate concentrations of failures (spraying/brute force) and anomalous successes (PtH).
  • Failures by devices/services holding old credentials (self-inflicted) are also common. Separate attack from configuration-induced by source.

Key fields

FieldMeaning
Logon AccountThe account being validated
Source WorkstationThe name of the machine making the authentication request
Error Code0x0 success, 0xC000006A wrong password, 0xC0000064 unknown user, etc.

Glossary

  • NTLM — an older challenge/response authentication protocol. It is weak to pass-the-hash; replace it with Kerberos where possible.

References