The computer attempted to validate the credentials for an account
The computer attempted to validate credentials using NTLM authentication package via domain or local accounts.
Event ID 4776 is generated whenever the domain controller or local workstation attempts to validate user credentials using the legacy NTLM authentication protocol (`NTLMv1` / `NTLMv2`). Because NTLM does not provide mutual authentication and relies on challenge-response hashes, tracking 4776 is critical for spotting NTLM brute-forcing, Pass-the-Hash (PtH), and NTLM Relay attacks.
Failure Reason / Root Cause:
Legacy application authentication, SMB/file share access over NTLM, or active NTLM credential stuffing / Pass-the-Hash attacks.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.910Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to The computer attempted to validate the credentials for an account -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1550.002 | Use Alternate Authentication Material: Pass the Hash | Lateral Movement |
T1110 | Brute Force | Credential Access |
Recommended actions
- Analyze failed 4776 events (`Error Code: 0xC000006A`) originating from unknown or unauthorized `Source Workstation` names.
- Transition enterprise authentication from legacy NTLM to Kerberos (`Disable NTLM` via Group Policy where feasible).
- Correlate with Event ID 4624 (`Logon Type 3`) to track pass-the-hash lateral movement.