Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows Event 4776 on a local PC

  • Please log in to reply
No replies to this topic

#1 Suncatcher


  • Members
  • 48 posts
  • Local time:06:13 AM

Posted 21 July 2017 - 11:00 AM

Hi there,

I am inspecting my PC after ransomware attack and do security logs analysis. What attracts my interest a lot is a 4776 event, which looks like this:

5/17/2017 12:06:17 PM Microsoft-Windows-Security-Auditing    4776 The computer attempted to validate the credentials for an account.                                                                        
                                                                  Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0                                                                          
                                                                  Logon Account:    ADMINISTRATOR                                                                                                           
                                                                  Source Workstation:                                                                                                                       
                                                                  Error Code:    0xC000006A     

This is a local home PC obviously not included not in any domain, whilst official help states that this event is generated on a domain PC (or while connecting to domain controller).

Am I missing something? Does this a general NTLM auth event, which can happen everywhere or it is some sophisticated attack when attackers were able to spoof domain authentication request?

Edited by Suncatcher, 21 July 2017 - 11:01 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users