deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #9942 from rathbuna/patch-2

Browse Source 
Update event-4776.md
This commit is contained in:
Denise Vangel-MSFT
2021-09-16 08:45:12 -07:00
committed by GitHub
parent 1d3b786005 24ccda538c
commit aebb5f45f3
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/threat-protection/auditing/event-4776.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 04/19/2017 ms.date: 09/13/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -116,7 +116,7 @@ This event does *not* generate when a domain account logs on locally to a domain
| 0xC0000193 | Account logon with expired account. | | 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. | | 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. |
| 0xC0000234 | Account logon with account locked. | | 0xC0000234 | Account logon with account locked. |
| 0xc0000371 | The local account store does not contain secret material for the specified account. | | 0xC0000371 | The local account store does not contain secret material for the specified account. |
| 0x0 | No errors. | | 0x0 | No errors. |
> Table 1. Winlogon Error Codes. > Table 1. Winlogon Error Codes.
@ -126,7 +126,7 @@ This event does *not* generate when a domain account logs on locally to a domain
For 4776(S, F): The computer attempted to validate the credentials for an account. For 4776(S, F): The computer attempted to validate the credentials for an account.
| **Type of monitoring required** | **Recommendation** | | **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
@ -143,7 +143,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
- Consider tracking the following errors for the reasons listed: - Consider tracking the following errors for the reasons listed:
| **Error to track** | **What the error might indicate** | | **Error to track** | **What the error might indicate** |
|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| |----------|----------------|
| **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. | | **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
| **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. | | **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. |