EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4776Audit SuccessSecurityT1550.002

Windows Event ID 4776NTLM Credential Validation

Logged on the domain controller each time it validates NTLM credentials — for both successful and failed authentications. Unlike 4625 (which fires on the machine where the logon was attempted), 4776 fires on the DC that performed the actual credential validation. This makes it the authoritative record of NTLM authentication activity for domain accounts, and the primary detection surface for NTLM-based pass-the-hash and relay attacks.

MITRE ATT&CK

Technique

T1550.002 · Pass the Hash

Tactic

Lateral Movement

View on attack.mitre.org →

Why It Matters

Pass-the-hash exploits the NTLM protocol's design: an attacker who has captured an NTLM hash can authenticate as that account without knowing the plaintext password. The DC validates the NTLM hash directly — and 4776 records this validation. A successful 4776 for a privileged account from an unexpected workstation, with no preceding user interaction, is a strong pass-the-hash indicator. NTLM relay attacks (where an attacker forwards NTLM authentication from one system to another) also generate 4776 events on the DC, often with the Workstation field pointing to an unexpected relay host.

Key Fields

Account NameThe domain account being validated — high-privilege accounts (Domain Admins, service accounts with broad access) authenticating via NTLM from unexpected workstations are priority targets
WorkstationThe machine the NTLM authentication originated from — in pass-the-hash, this is often the attacker's machine or a relay host rather than a machine the account normally uses
Error Code0x0 = authentication succeeded; 0xC000006A = wrong password (correct username); 0xC0000064 = username does not exist; 0xC000006D = generic failure; 0xC0000234 = account locked out; 0xC0000072 = account disabled
Authentication PackageNTLM or NTLMv2 — NTLMv1 is weaker and should not appear in modern environments; its presence may indicate a downgrade attack or a legacy system

Investigation Tips

  1. 1.Pass-the-hash signal: successful 4776 (Error Code 0x0) for a privileged account (Domain Admin, service account) from a workstation that account doesn't normally access. Cross-reference the Workstation field against the account's known logon history in 4624 events — an unfamiliar workstation is the key indicator.
  2. 2.NTLM to a DC is abnormal: domain accounts authenticating to domain resources should use Kerberos. NTLM to a DC for a domain account means either a legacy application, a misconfiguration, or an attacker using a captured hash. Alert on all successful NTLM authentications to DCs from non-standard sources.
  3. 3.NTLM relay: bulk 4776 events from a single Workstation for multiple different Account Names in quick succession, all succeeding — especially if that workstation is not a known admin host. An NTLM relay host forwards captured authentications to the DC, appearing to authenticate as multiple victims.
  4. 4.Brute-force: repeated 4776 failures (Error Code 0xC000006A) from the same Workstation targeting the same Account Name. NTLM brute-force on a DC is less common than on endpoints (most NTLM auth routes through the endpoint's 4625) but does occur with tools that target the DC directly.
  5. 5.Account enumeration: 4776 failures with Error Code 0xC0000064 (username does not exist) in volume from one Workstation. The attacker is validating which account names are valid before launching credential attacks.
  6. 6.Consider enforcing NTLMv2 minimum via GPO (Network security: LAN Manager authentication level) and disabling NTLM on domain controllers entirely where Kerberos is sufficient — this eliminates the entire attack surface for NTLM-based pass-the-hash at the DC level.

Related Event IDs

4625Failed logon — member server view of the same NTLM failure; 4776 is the DC view
4624Successful logon — the logon event that follows a successful 4776 validation
4672Special privileges — if the NTLM-authenticated account is privileged, 4672 follows 4624
4768Kerberos TGT request — absence of 4768 with presence of 4776 = NTLM used where Kerberos expected

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4776

See Event ID 4776 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects ntlm credential validation patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →