SOC Event Lookup
Event ID 4648LogonP1

Windows Event ID 4648: A logon was attempted using explicit credentials

Windows Security Event ID 4648 records a process attempting to authenticate with explicitly supplied credentials, making it valuable for investigating credential use and lateral movement.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

Windows logs this event when a caller supplies a username and password to access a local or remote resource rather than using the current session token.

Key Fields

Subject

The account and process that initiated the credential use. Compare it with the account whose credentials were supplied.

Account Whose Credentials Were Used

The target identity. Privileged, dormant, or service accounts used from unusual hosts deserve immediate review.

Target Server Name / Network Address

The destination resource and remote address. These fields identify the potential lateral-movement target.

Common False Positives

  • RunAs, scheduled tasks, backup systems, and deployment tools can use explicit credentials legitimately.
  • Administrative support staff may use alternate accounts to access servers or shares.

Related Events

MITRE ATT&CK Mapping

  • T1078Valid Accounts
  • T1021Remote Services

Detection Notes

T1078 credential abuse is signaled when Account Whose Credentials Were Used is a privileged or service identity while Subject is a standard user, and Target Server Name is a new server. runas.exe, cmdkey.exe, or powershell.exe in Process Name followed by a Type 3 or Type 10 4624 is a concrete lateral-movement sequence.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4648
| project TimeGenerated, Computer, Account, TargetAccount, ProcessName, IpAddress, TargetServerName
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4648
| table _time, host, SubjectUserName, TargetUserName, ProcessName, TargetServerName, NetworkAddress
Sample Log
Subject: CORP\jsmith
Account Whose Credentials Were Used: CORP\admin.ops
Target Server Name: FILE01
Process Name: C:\Windows\System32\runas.exe
Network Address: 10.x.x.x

Source