SOC Event Lookup
Event ID 4776LogonP1

Windows Event ID 4776: The domain controller attempted to validate credentials (NTLM)

Windows Security Event ID 4776 records NTLM credential validation performed by a domain controller.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

A domain controller logs this event when it validates NTLM credentials for a user or computer account.

Key Fields

Logon Account

The account whose NTLM credentials were validated. Watch for high-volume attempts against many identities.

Source Workstation

The client that requested validation. This identifies the host performing authentication attempts.

Error Code

The validation result. Codes distinguish bad passwords, unknown users, disabled accounts, and other outcomes.

Common False Positives

  • Legacy applications and SMB systems may rely on NTLM by design.
  • Password changes can cause recurring failures from services using old credentials.

Related Events

MITRE ATT&CK Mapping

  • T1110Brute Force
  • T1078Valid Accounts

Detection Notes

T1110.003 spraying through NTLM appears as Error Code 0xC000006A (bad password) across many Logon Account values from one Source Workstation. Error 0xC0000064 instead shows nonexistent-account enumeration. A successful 0x0 validation after either burst should be correlated with 4624 and 4648.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4776
| summarize Attempts=count() by Computer, Account, Workstation, Status, bin(TimeGenerated, 5m)
| where Attempts > 10
Splunk SPL
index=wineventlog EventCode=4776
| bucket _time span=5m
| stats count by _time, Workstation, Logon_Account, Error_Code
Sample Log
Logon Account: jsmith
Source Workstation: WS-014
Error Code: 0xC000006A

Source