🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Event IDs
  3. Authentication / Account

4648 - Explicit Credentials Success

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

Event ID 4648 in the Windows Security Event Log is a significant security event that indicates a logon attempt was made using explicit credentials. This event occurs when a user attempts to log on to a computer or access network resources by specifying credentials different from those associated with the current session. Such behavior is typical in scenarios where the "RunAs" command is used, or when scheduled tasks and services are configured to run under a specific account. Monitoring Event ID 4648 is crucial for identifying potential security risks, such as credential misuse or lateral movement attempts within a network.

Logged by the Security subsystem whenever a process or user initiates a logon attempt with explicit credentials.

Category: Audit Logon

Significance:

  • Security Implications: Event ID 4648 may indicate legitimate use cases, such as administrators managing multiple accounts or services configured with specific user credentials. However, it can also signal malicious activities, including pass-the-hash attacks, where attackers use stolen credentials to move laterally across a network.

  • Operational Context: In benign scenarios, this event helps track administrative activities and application behaviors requiring alternate credentials. In security contexts, it aids in detecting unauthorized access attempts and potential compromise.

Details Included in Event ID 4648

  • Subject: Information about the user or process that initiated the logon attempt. This includes:

    • Security ID: The SID of the initiating user.

    • Account Name: The name of the initiating account.

    • Account Domain: The domain of the initiating account.

    • Logon ID: A reference to the logon session of the initiating account.

  • Logon Type: Specifies the type of logon that was attempted. Common types include interactive (2), network (3), and batch (4).

  • Account Whose Credentials Were Used: Details about the account whose credentials were explicitly specified. This includes:

    • Account Name: The name of the account whose credentials were used.

    • Account Domain: The domain of the account whose credentials were used.

  • Process Information: Provides details about the process that requested the logon. This includes:

    • Process ID: The identifier of the process.

    • Process Name: The name of the process.

  • Network Information: Details about the network address and port number involved in the logon attempt.

How to Use Event ID 4648 for Security

Monitoring and Alerting: Setting up alerts for unexpected or unauthorized use of Event ID 4648 can help detect potential security threats early. Special attention should be given to patterns or anomalies, such as logon attempts at unusual hours or from unusual locations.

Forensic Analysis: In the aftermath of a security incident, analyzing occurrences of Event ID 4648 can help in understanding how an attacker might have used stolen credentials to access resources or move laterally within the environment.

Access Reviews and Audits: Regular reviews of logs containing Event ID 4648 are important for ensuring that the use of explicit credentials aligns with organizational policies and security best practices.

Best Practices for Monitoring Event ID 4648

  • Enable Detailed Auditing: Ensure that "Audit Logon" is enabled in Group Policy to capture detailed events related to logon activities, including the use of explicit credentials.

  • Implement Least Privilege Principle: Minimize the number of users and accounts with permissions to use alternate credentials to reduce the risk of misuse or attack.

  • Educate Users and Administrators: Provide training on the secure management of credentials and the potential risks associated with their misuse.

  • Use SIEM Solutions: Employ Security Information and Event Management (SIEM) systems to correlate Event ID 4648 with other indicators of compromise, enhancing the ability to detect malicious activities.

Limitations

While Event ID 4648 provides valuable information about the use of explicit credentials, it does not inherently distinguish between legitimate and malicious activities. Contextual analysis, correlation with additional indicators, and understanding normal usage patterns within the organization are necessary to accurately interpret these events.

Previous4634 - Account LogoffNext4672 - Special Privileges

Last updated 1 year ago

Was this helpful?