Windows Event ID 4648: A logon was attempted using explicit credentials
Windows Security Event ID 4648 records a process attempting to authenticate with explicitly supplied credentials, making it valuable for investigating credential use and lateral movement.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
Windows logs this event when a caller supplies a username and password to access a local or remote resource rather than using the current session token.
Key Fields
Subject
The account and process that initiated the credential use. Compare it with the account whose credentials were supplied.
Account Whose Credentials Were Used
The target identity. Privileged, dormant, or service accounts used from unusual hosts deserve immediate review.
Target Server Name / Network Address
The destination resource and remote address. These fields identify the potential lateral-movement target.
Common False Positives
- RunAs, scheduled tasks, backup systems, and deployment tools can use explicit credentials legitimately.
- Administrative support staff may use alternate accounts to access servers or shares.
Related Events
MITRE ATT&CK Mapping
- T1078Valid Accounts
- T1021Remote Services
Detection Notes
T1078 credential abuse is signaled when Account Whose Credentials Were Used is a privileged or service identity while Subject is a standard user, and Target Server Name is a new server. runas.exe, cmdkey.exe, or powershell.exe in Process Name followed by a Type 3 or Type 10 4624 is a concrete lateral-movement sequence.
SecurityEvent
| where EventID == 4648
| project TimeGenerated, Computer, Account, TargetAccount, ProcessName, IpAddress, TargetServerName
| order by TimeGenerated descindex=wineventlog EventCode=4648
| table _time, host, SubjectUserName, TargetUserName, ProcessName, TargetServerName, NetworkAddressSubject: CORP\jsmith
Account Whose Credentials Were Used: CORP\admin.ops
Target Server Name: FILE01
Process Name: C:\Windows\System32\runas.exe
Network Address: 10.x.x.x