4777 The domain controller failed to validate the credentials for an account (NTLM)
Written when a domain controller fails to validate credentials via NTLM. It captures NTLM authentication failures on the DC side.
Overview
The subcategory is Audit Credential Validation. It is generated when a domain controller fails to validate credentials presented via NTLM. The failure reason appears in error codes similar to 4776.
How it is triggered
- When NTLM authentication of a domain account fails due to a wrong password, disabled account, and so on.
Security review points
- Like the failure of 4776, it is a clue to password spraying and brute force over the NTLM path. Watch concentrations of failures by source machine, target account, and error code.
- Depending on environment and version, NTLM validation failures appear mainly as 4776 (F). Monitor NTLM authentication failures comprehensively by watching both.
Notes for log review
- It occurs on DCs. Using source and target account as axes, separate attack-driven from configuration/old-credential causes.
- Together with Kerberos 4771 and NTLM 4776, build the full picture of authentication failures.
Key fields
| Field | Meaning |
|---|---|
Logon Account | The account that failed validation |
Source Workstation | The requesting machine |
Error Code | The failure reason code |