Windows Event 4776 — NTLM Credential Validation

WindowsEvents Windows Security Pass-the-Hash / NTLM Abuse

What This Means

Analyze Windows Event 4776 to monitor NTLM authentication attempts. Detect pass-the-hash attacks, legacy protocol abuse, and credential validation failures across your domain.

Example Log

The computer attempted to validate the credentials for an account.

Authentication Package:  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:           admin
Source Workstation:      WORKSTATION07
Error Code:              0xC000006A
Status:                  0xC000006D

Indicators of Suspicious Activity

Error Code 0xC000006A (bad password) in high volume — brute force via NTLM
NTLM authentication where Kerberos should be used (potential pass-the-hash)
Authentication attempts from workstations not in the domain or from unknown hosts
Source Workstation names that do not match any known asset in inventory
Logon Account targeting service accounts or built-in admin accounts
High frequency of 4776 events compared to normal baseline

How to Investigate

Identify the Source Workstation and verify it in your asset inventory
Check the Error Code to understand the failure reason
If Error Code is 0x0 (success) with NTLM, investigate why Kerberos was not used
Correlate with Event 4624 on the target system to find the logon details
Check if the Logon Account has been involved in other suspicious events
Investigate whether the source workstation may be compromised

Recommended Mitigations

Restrict NTLM authentication using Group Policy (Network Security: Restrict NTLM)
Enable NTLM auditing before blocking to understand impact
Require Kerberos authentication wherever possible
Implement credential guard on endpoints to prevent NTLM hash theft
Monitor Event 4776 failures as a brute force indicator
Block NTLM at the domain level and create exceptions only where absolutely necessary

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 9 + 5?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Attack Patterns

Frequently Asked Questions

What does Event 4776 record? ▼

Event 4776 is logged when the domain controller validates NTLM credentials. Unlike Kerberos events, it only shows the account name and source workstation — no IP address, making investigation harder.

Why is NTLM authentication a security risk? ▼

NTLM is vulnerable to pass-the-hash attacks, relay attacks, and offline cracking. It does not support modern security features like mutual authentication. Organizations should minimize NTLM use and enforce Kerberos.

How do I reduce NTLM authentication in my domain? ▼

Enable NTLM auditing first (GPO: Network Security: Restrict NTLM: Audit), review the logs to identify applications using NTLM, migrate them to Kerberos, then progressively restrict NTLM.