Monitor this event for multiple logon attempts with a misspelled password within a short span of time to check for brute-force attacks on your network.Monitor this event for multiple logon attempts with a misspelled username within a short span of time to check for reverse brute-force, password spraying, or enumeration attacks.If local accounts should only be used directly on the respective machines where their credentials are stored, and never use network logon or Remote Desktop Connection, then you need to monitor for all events where Source Workstation and Computer have different values.You should monitor event ID 4776 to list all NTLM authentication attempts in your domain and pay close attention to events generated by accounts that should never use NTLM for authentication.
NTLM should only be used for local logon attempts.
The user is required to change their password at the next logonĮvidently a bug in Windows and not a risk The user tried to log on with a stale password The user tried to log on with an expired account The user attempted to log on from a restricted workstation The user tried to log on outside their day-of-the-week or time-of-day restrictions The username is correct but the password is wrong
Source Workstation: The name of the computer the logon attempt originated from. The account can either be a user account, a computer account, or a well-known security principal (e.g. Logon Account: The name of the account that attempted a logon. Here are a few common cases where NTLM is used over Kerberos in a Windows environment:Įvent ID 4776 - The DC attempted to validate the credentials for an account.Īuthentication Package: This is always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0". That means event ID 4776 is recorded on the local machines.įor Kerberos authentication, see event IDs 4768, 4769, and 4771.Īlthough Kerberos authentication is the preferred authentication method for Active Directory environments, some applications might still use NTLM. In the case of logon attempts with a local SAM account, the workstation or the member server validate the credentials. That means event ID 4776 is recorded on the DC.
In the case of domain account logon attempts, the DC validates the credentials.
If the authenticating computer fails to validate the credentials, the same event ID 4776 is logged but with the Result Code field not equal to “0x0”. Authentication Failure - Event ID 4776 (F) If the credentials were successfully validated, the authenticating computer logs this event ID with the Result Code field equal to “0x0”.
Authentication Success - Event ID 4776 (S) This event is also logged for logon attempts to the local SAM account in workstations and Windows servers, as NTLM is the default authentication mechanism for local logon. This event is also logged on member servers and workstations when someone attempts to logon with a local account.Event ID 4776 is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.įor Kerberos authentication see event 4768, 47. When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. Despite what this event says, the computer is not necessarily a domain controller member servers and workstations also log this event for logon attempts with local SAM accounts.