4776

The computer attempted to validate the credentials for an account

The computer attempted to validate credentials using NTLM authentication package via domain or local accounts.

Event ID 4776 is generated whenever the domain controller or local workstation attempts to validate user credentials using the legacy NTLM authentication protocol (`NTLMv1` / `NTLMv2`). Because NTLM does not provide mutual authentication and relies on challenge-response hashes, tracking 4776 is critical for spotting NTLM brute-forcing, Pass-the-Hash (PtH), and NTLM Relay attacks.

Failure Reason / Root Cause:

Legacy application authentication, SMB/file share access over NTLM, or active NTLM credential stuffing / Pass-the-Hash attacks.

CategoryLogon/Logoff
Audit typeSuccess / Failure Audit
SeverityMedium
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordsntlm, credential validation, pass the hash, ntlm relay, authentication package, legacy auth
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.910Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to The computer attempted to validate the credentials for an account -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1550.002Use Alternate Authentication Material: Pass the HashLateral Movement
T1110Brute ForceCredential Access

Recommended actions

Related events