I am inspecting my PC after ransomware attack and do security logs analysis. What attracts my interest a lot is a 4776 event, which looks like this:
5/17/2017 12:06:17 PM Microsoft-Windows-Security-Auditing 4776 The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: ADMINISTRATOR Source Workstation: Error Code: 0xC000006A
This is a local home PC obviously not included not in any domain, whilst official help states that this event is generated on a domain PC (or while connecting to domain controller).
Am I missing something? Does this a general NTLM auth event, which can happen everywhere or it is some sophisticated attack when attackers were able to spoof domain authentication request?
Edited by Suncatcher, 21 July 2017 - 11:01 AM.