Windows SecurityAuthenticationEnhanced Analysis

Event 4776: The domain controller attempted to validate the credentials for an account.

Quick Answer

Event 4776 is generated when a domain controller validates credentials for NTLM authentication, logging both successful and failed attempts. This event is critical for detecting pass-the-hash attacks, NTLM relay attacks, and identifying systems still using legacy NTLM authentication instead of more secure Kerberos, which may indicate older systems or misconfigurations exploitable by attackers.

Technical Details

Windows Security Source

Event ID: 4776

Windows Security- Authentication

Event Description

The domain controller attempted to validate the credentials for an account (NTLM Authentication).

Analyst Notes & Scenarios

  • Occurs on Domain Controllers during NTLM authentication attempts.
  • High volume of failures (Status != 0x0) can indicate brute-force or spraying attacks targeting NTLM.
  • Success (Status == 0x0) is normal but should be monitored for anomalous patterns (source workstation, account, time).

Key Log Fields

  • TargetUserName - Account name being validated
  • Workstation - Source workstation name
  • Status - Status code (0x0=success, 0xC000006A=wrong password, 0xC0000064=user doesn't exist)
  • PackageName - Authentication package (typically MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)

MITRE ATT&CK® Mapping (3)

T1078defense-evasion, initial-access, persistence, privilege-escalation
Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)

T1550.002defense-evasion, lateral-movement
Pass the Hash

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)

T1557.001collection, credential-access
LLMNR/NBT-NS Poisoning and SMB Relay

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.  Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)

Event Comparison

Event 4776 tracks NTLM authentication validation, while Event 4768 monitors Kerberos ticket requests. In secure environments, Kerberos should be dominant. High Event 4776 volume relative to Event 4768 may indicate security issues or legacy systems.

What This Event Means

Event 4776 provides visibility into NTLM authentication attempts processed by domain controllers, which is essential for detecting various credential-based attacks. While Kerberos is the preferred authentication protocol in Active Directory environments, NTLM remains common for legacy application compatibility, workgroup authentication, and scenarios where Kerberos is unavailable. Attackers frequently exploit NTLM because it is susceptible to pass-the-hash attacks where stolen NTLM hashes authenticate without needing plaintext passwords. This event records the source workstation, target username, and success/failure status. Security teams should track which systems generate NTLM authentication to identify legacy systems needing upgrades and detect anomalous NTLM usage that may indicate attacks. The event provides the error code for failures, helping distinguish between wrong passwords, account issues, or protocol problems.

Security Implications

  • Pass-the-hash attacks detected when stolen NTLM hashes successfully authenticate without corresponding Kerberos activity
  • NTLM relay attacks visible through rapid authentication attempts from unexpected source systems to multiple targets
  • Legacy system identification showing which machines still rely on NTLM and may lack modern security controls
  • Credential stuffing attacks using stolen NTLM hashes from external breaches or password dumps
  • Cobalt Strike, Metasploit, and PsExec commonly generate Event 4776 during lateral movement with pass-the-hash techniques

Detection Strategies

Establish a baseline of systems legitimately using NTLM authentication and alert on any new systems initiating NTLM requests. Monitor for successful Event 4776 authentication from workstations that typically use only Kerberos, which may indicate pass-the-hash attacks. Track authentication patterns where Event 4776 appears without corresponding Event 4768 (Kerberos ticket requests) suggesting credential theft rather than interactive logon. Alert on NTLM authentication failures with error codes indicating wrong passwords (0xC000006A) occurring rapidly across multiple accounts (potential password spraying). Correlate Event 4776 with Event 4624 Type 3 logons and Event 4648 to identify credential reuse patterns. Monitor privileged accounts for any NTLM authentication, as these should exclusively use Kerberos in properly configured environments.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • Mimikatz pass-the-hash: After extracting NTLM hashes from LSASS memory, attackers authenticated to file servers generating Event 4776 without corresponding Kerberos events

  • Responder NTLM relay: Attackers used Responder to capture NTLM authentication attempts via LLMNR poisoning, then relayed them to domain controllers generating Event 4776

  • Cobalt Strike lateral movement: Beacon configured for SMB communication used pass-the-hash to spawn processes on remote systems, generating Event 4776 for each authentication

  • Legacy application vulnerability: Event 4776 from obsolete HR system using NTLM revealed unpatched Windows Server 2008 system exploited during ransomware attack

Contents