Windows Event ID 4648 - Explicit Credentials Logon
Records when a process attempts to log on using explicit credentials (RunAs, mapped drives with different credentials). Critical for detecting lateral movement, credential theft, and pass-the-hash attacks
Quick Facts
Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)
Log Example
Default format: Windows Event Log Format
Example Log Entrylog
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 11:45:30 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: WORKSTATION01.corp.local
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: jsmith
Account Domain: CORP
Logon ID: 0x12345678
Account Whose Credentials Were Used:
Account Name: admin
Account Domain: CORP
Target Server:
Target Server Name: DC01.corp.local
Additional Information: cifs/DC01.corp.local
Process Information:
Process ID: 0x1234
Process Name: C:\Windows\System32\net.exeStructure:
XML-based binary format with structured EventData fieldsPaths by Platform
Available Formats
Windows Event Log Format
Default
Example:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 11:45:30 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: WORKSTATION01.corp.local
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: jsmith
Account Domain: CORP
Logon ID: 0x12345678
Account Whose Credentials Were Used:
Account Name: admin
Account Domain: CORP
Target Server:
Target Server Name: DC01.corp.local
Additional Information: cifs/DC01.corp.local
Process Information:
Process ID: 0x1234
Process Name: C:\Windows\System32\net.exeStructure:
XML-based binary format with structured EventData fieldsXML Format
Example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-02-01T11:45:30.123456789Z"/>
<EventRecordID>456789</EventRecordID>
<Computer>WORKSTATION01.corp.local</Computer>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
<Data Name="SubjectUserName">jsmith</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="SubjectLogonId">0x12345678</Data>
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetDomainName">CORP</Data>
<Data Name="TargetServerName">DC01.corp.local</Data>
<Data Name="TargetInfo">cifs/DC01.corp.local</Data>
<Data Name="ProcessId">0x1234</Data>
<Data Name="ProcessName">C:\Windows\System32\net.exe</Data>
<Data Name="IpAddress">192.168.1.50</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>Structure:
Native XML representation of the eventJSON (Winlogbeat/NXLog)
Example:
{
"event_id": 4648,
"log_name": "Security",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "WORKSTATION01.corp.local",
"time_created": "2026-02-01T11:45:30.123Z",
"keywords": ["Audit Success"],
"event_data": {
"SubjectUserSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
"SubjectUserName": "jsmith",
"SubjectDomainName": "CORP",
"TargetUserName": "admin",
"TargetDomainName": "CORP",
"TargetServerName": "DC01.corp.local",
"ProcessName": "C:\\Windows\\System32\\net.exe"
}
}Structure:
Structured JSON from log forwardersFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
EventID | integer | Event identifier (always 4648 for explicit credentials logon) | 4648 |
TimeCreated | datetime | Timestamp of the logon attempt | 2026-02-01T11:45:30.123Z |
Computer | string | Computer where the logon was initiated | WORKSTATION01.corp.local |
SubjectUserName | string | Account that initiated the logon (current user) | jsmith |
TargetUserName | string | Account whose credentials were used | admin |
TargetServerName | string | Server being accessed with alternate credentials | DC01.corp.local |
ProcessName | string | Process that requested the alternate credentials logon | C:\Windows\System32\net.exe |
IpAddress | ip | Source IP address | 192.168.1.50 |
Parsing Patterns
Grok Patterns
xml:
<Data Name="SubjectUserName">%{DATA:subject_user}</Data>.*<Data Name="TargetUserName">%{DATA:target_user}</Data>.*<Data Name="TargetServerName">%{DATA:target_server}</Data>Regular Expressions
xml:
SubjectUserName">(?P<subject_user>[^<]+)</Data>.*TargetUserName">(?P<target_user>[^<]+)</Data>.*TargetServerName">(?P<target_server>[^<]+)</Data>Collector Configurations
splunkyaml
1# Explicit credential usage2index=wineventlog EventCode=46483| where SubjectUserName != TargetUserName4| table _time, Computer, SubjectUserName, TargetUserName, TargetServerName, ProcessName56# Lateral movement detection7index=wineventlog EventCode=4648 TargetUserName="*admin*"8| stats dc(TargetServerName) as servers_accessed by SubjectUserName9| where servers_accessed > 5Configuration
Enable Logging
Enable explicit credential logon auditing
auditpol /set /subcategory:"Logon" /success:enableLog To Syslog
Forward via Windows Event Forwarding (WEF)
# Include in WEF subscription for logon eventsUse Cases
Track RunAs usage
Monitor use of alternate credentials
SubjectUserName
TargetUserName
ProcessName
Troubleshooting
Tested On
vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!