{
  "id": "4648",
  "source": "windows_security",
  "category": "Logon",
  "name": "A logon was attempted using explicit credentials",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4648 records a process attempting to authenticate with explicitly supplied credentials, making it valuable for investigating credential use and lateral movement.",
  "trigger_scenarios": "Windows logs this event when a caller supplies a username and password to access a local or remote resource rather than using the current session token.",
  "key_fields": [
    {
      "field": "Subject",
      "explanation": "The account and process that initiated the credential use. Compare it with the account whose credentials were supplied."
    },
    {
      "field": "Account Whose Credentials Were Used",
      "explanation": "The target identity. Privileged, dormant, or service accounts used from unusual hosts deserve immediate review."
    },
    {
      "field": "Target Server Name / Network Address",
      "explanation": "The destination resource and remote address. These fields identify the potential lateral-movement target."
    }
  ],
  "false_positives": [
    "RunAs, scheduled tasks, backup systems, and deployment tools can use explicit credentials legitimately.",
    "Administrative support staff may use alternate accounts to access servers or shares."
  ],
  "related_event_ids": [
    "4624",
    "4688",
    "4776"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    },
    {
      "technique_id": "T1021",
      "technique_name": "Remote Services"
    }
  ],
  "detection_notes": "T1078 credential abuse is signaled when Account Whose Credentials Were Used is a privileged or service identity while Subject is a standard user, and Target Server Name is a new server. runas.exe, cmdkey.exe, or powershell.exe in Process Name followed by a Type 3 or Type 10 4624 is a concrete lateral-movement sequence.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4648\n| project TimeGenerated, Computer, Account, TargetAccount, ProcessName, IpAddress, TargetServerName\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4648\n| table _time, host, SubjectUserName, TargetUserName, ProcessName, TargetServerName, NetworkAddress",
  "sample_log": "Subject: CORP\\jsmith\nAccount Whose Credentials Were Used: CORP\\admin.ops\nTarget Server Name: FILE01\nProcess Name: C:\\Windows\\System32\\runas.exe\nNetwork Address: 10.x.x.x",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648",
  "route": "/windows-events/4648/",
  "canonical_url": "https://soceventlookup.com/windows-events/4648/",
  "json_url": "/api/events/windows-security/4648.json"
}
