Windows Event ID 4776: The domain controller attempted to validate credentials (NTLM)
Windows Security Event ID 4776 records NTLM credential validation performed by a domain controller.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
A domain controller logs this event when it validates NTLM credentials for a user or computer account.
Key Fields
Logon Account
The account whose NTLM credentials were validated. Watch for high-volume attempts against many identities.
Source Workstation
The client that requested validation. This identifies the host performing authentication attempts.
Error Code
The validation result. Codes distinguish bad passwords, unknown users, disabled accounts, and other outcomes.
Common False Positives
- Legacy applications and SMB systems may rely on NTLM by design.
- Password changes can cause recurring failures from services using old credentials.
Related Events
MITRE ATT&CK Mapping
- T1110Brute Force
- T1078Valid Accounts
Detection Notes
T1110.003 spraying through NTLM appears as Error Code 0xC000006A (bad password) across many Logon Account values from one Source Workstation. Error 0xC0000064 instead shows nonexistent-account enumeration. A successful 0x0 validation after either burst should be correlated with 4624 and 4648.
SecurityEvent
| where EventID == 4776
| summarize Attempts=count() by Computer, Account, Workstation, Status, bin(TimeGenerated, 5m)
| where Attempts > 10index=wineventlog EventCode=4776
| bucket _time span=5m
| stats count by _time, Workstation, Logon_Account, Error_CodeLogon Account: jsmith
Source Workstation: WS-014
Error Code: 0xC000006A