This event, logged to the Security channel, indicates a logon was completed using explicit credentials. Explicit credentials refers to credentials that are not currently active and have been explicitly selected by an attacker. It is logged on the source system and may indicate lateral movement tactics such as the use of runas
or access to remote file shares.
Note
In windows XP, the corresponding Event ID is 552
.
- Behavioral - Lateral Movement (TA0008)
- Account - Login History
- Account - Logon ID
- Account - Security Identifier (SID)
- Network Activity - Destination Identification
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
- Windows XP
%SystemRoot%\System32\Winevt\Logs\Security.evtx
The following fields may be interpreted from this artifact:
Field Name | Interpretation |
---|---|
Subject / Security ID | SID of account that used the explicit credentials |
Subject / Account Name | Name of account that used the explicit credentials |
Subject / Logon ID | Logon ID of session for account that used the explicit credentials |
Account Whose Credentials Were Used / Account Name | Account name for the explicit credentials |
Target Server / Target Server Name | The name of the destination endpoint the credentials were used on |
Process Information / Process ID | Hex PID of the process that used the explicit credentials |
Process Information / Process Name | The command line of the process that used the explicit credentials |
Network Information / Network Address | IP address of source endpoint |
Note
The SID may be translated by event viewer. To view the raw SID, look at the event's XML data, which has the following fields available:
This event may be correlated with events found on the destination endpoint, such as event 4624: An account was successfully logged on. In the case of runas activity, a 4624 event will be registered with Logon type 9.