Event 4648: A logon was attempted using explicit credentials.
Quick Answer
Event 4648 is generated when a user logs on using explicit credentials different from their current session, typically via RunAs, scheduled tasks, or remote access tools. This event is crucial for detecting lateral movement, privilege escalation with stolen credentials, and pass-the-hash attacks where attackers use compromised credentials to authenticate to remote systems.
Technical Details
Event ID: 4648
Windows Security- Authentication
Event Description
A logon was attempted using explicit credentials (e.g., RunAs).
Key Log Fields
SubjectUserName- Account name that used explicit credentialsSubjectDomainName- Domain of the accountSubjectLogonId- Logon ID of the sessionTargetUserName- Account name whose credentials were usedTargetDomainName- Domain of the target accountTargetServerName- Target server or resource nameProcessName- Process that used explicit credentials (often RunAs, PowerShell, or custom apps)IpAddress- Target IP address
MITRE ATT&CK® Mapping (5)
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation) Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA) Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
Event Comparison
Event 4648 shows the intention to use specific credentials (what credentials were presented), while Event 4624 shows successful authentication (credentials were accepted). Both events should be correlated for complete authentication visibility.
What This Event Means
Event 4648 provides critical visibility into credential usage patterns that often indicate lateral movement during active intrusions. When an attacker compromises credentials through credential dumping (Mimikatz, LSASS memory access) or password reuse, they use these credentials to authenticate to remote systems while maintaining their current session. This event captures both the account performing the authentication (source) and the credentials being used (target), enabling detection of anomalous credential usage. Common scenarios include runas.exe execution with domain admin credentials, scheduled task creation with specific service accounts, and network authentication to file shares or administrative shares. The event includes process information showing which application initiated the explicit credential usage.
Security Implications
- Lateral movement detection when compromised accounts authenticate to multiple systems in rapid succession
- Pass-the-hash and pass-the-ticket attacks visible when NTLM or Kerberos credentials are reused across systems
- Privilege escalation when standard user accounts invoke processes with administrative credentials
- Credential theft detection by correlating Event 4648 with known compromised accounts from credential dumping events
- APT groups like APT1 and Carbanak extensively use stolen credentials with RunAs for lateral movement without creating new accounts
Detection Strategies
Establish baselines for normal explicit credential usage patterns in your environment, particularly which accounts legitimately use RunAs or scheduled tasks. Alert on any user account using credentials for accounts with higher privileges than their own, especially non-IT staff using administrative credentials. Monitor for high-frequency Event 4648 generation from a single source system to multiple targets within short time windows (potential lateral movement sweeps). Correlate with Event 4624 Type 3 (network logons) and Event 4672 (special privileges assigned) to build complete authentication chains. Flag explicit credential use of recently reset passwords, service accounts from workstations, or privileged accounts from non-administrative systems. Track process names initiating explicit authentication - legitimate use is typically runas.exe, mstsc.exe, or schtasks.exe, while malicious tools like PsExec, Cobalt Strike, or Metasploit may appear.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
APT1 lateral movement: After dumping credentials from domain controller memory, attackers used compromised Domain Admin credentials via RunAs to access file servers and executive workstations
Cobalt Strike beacon activity: Event 4648 generated repeatedly as beacon used stolen credentials to spawn processes on remote systems during lateral movement phase
Emotet credential abuse: After harvesting credentials with Mimikatz, Emotet operators used Event 4648-generating RunAs to spread to additional domain systems
Ransomware pre-deployment: LockBit operators used explicit credentials to create scheduled tasks (generating Event 4648) across all domain systems before triggering encryption