EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4648Audit SuccessSecurityT1550.002

Windows Event ID 4648Logon with Explicit Credentials

Logged when a process attempts to authenticate using explicitly provided credentials — e.g. runas, net use, or Pass-the-Hash attacks.

MITRE ATT&CK

Technique

T1550.002 · Pass the Hash

Tactic

Lateral Movement

View on attack.mitre.org →

Why It Matters

Attackers who have stolen credentials use explicit-credential logons to move laterally without logging into a new interactive session. High volumes of 4648, especially from LSASS or unusual processes, are a strong lateral movement indicator.

Key Fields

Account Name (Subject)The account performing the logon — who is providing credentials
Account Name (Credentials Used)The account whose credentials are being used
Target Server NameWhat system or service is being accessed
Process NameWhat process initiated the credential use — lsass.exe is normal; others may not be

Investigation Tips

  1. 1.Look for 4648 where the Subject and Credentials Used accounts differ — this is explicit credential use.
  2. 2.Correlate with 4624 Type 3 on the target system to confirm successful lateral movement.
  3. 3.runas.exe in the process name is normal admin activity; powershell.exe or cmd.exe are more suspicious.

Related Event IDs

4624Logon event on the target system
4625Failed logon if the credentials were rejected
4672Special privileges if the used account is privileged

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4648

See Event ID 4648 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects logon with explicit credentials patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →