{
  "id": "4776",
  "source": "windows_security",
  "category": "Logon",
  "name": "The domain controller attempted to validate credentials (NTLM)",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4776 records NTLM credential validation performed by a domain controller.",
  "trigger_scenarios": "A domain controller logs this event when it validates NTLM credentials for a user or computer account.",
  "key_fields": [
    {
      "field": "Logon Account",
      "explanation": "The account whose NTLM credentials were validated. Watch for high-volume attempts against many identities."
    },
    {
      "field": "Source Workstation",
      "explanation": "The client that requested validation. This identifies the host performing authentication attempts."
    },
    {
      "field": "Error Code",
      "explanation": "The validation result. Codes distinguish bad passwords, unknown users, disabled accounts, and other outcomes."
    }
  ],
  "false_positives": [
    "Legacy applications and SMB systems may rely on NTLM by design.",
    "Password changes can cause recurring failures from services using old credentials."
  ],
  "related_event_ids": [
    "4625",
    "4624",
    "4648"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1110",
      "technique_name": "Brute Force"
    },
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    }
  ],
  "detection_notes": "T1110.003 spraying through NTLM appears as Error Code 0xC000006A (bad password) across many Logon Account values from one Source Workstation. Error 0xC0000064 instead shows nonexistent-account enumeration. A successful 0x0 validation after either burst should be correlated with 4624 and 4648.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4776\n| summarize Attempts=count() by Computer, Account, Workstation, Status, bin(TimeGenerated, 5m)\n| where Attempts > 10",
  "spl_snippet": "index=wineventlog EventCode=4776\n| bucket _time span=5m\n| stats count by _time, Workstation, Logon_Account, Error_Code",
  "sample_log": "Logon Account: jsmith\nSource Workstation: WS-014\nError Code: 0xC000006A",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776",
  "route": "/windows-events/4776/",
  "canonical_url": "https://soceventlookup.com/windows-events/4776/",
  "json_url": "/api/events/windows-security/4776.json"
}
