question

metrolog avatar image
0 Votes"
metrolog asked metrolog commented

Running PsExec on remote computer with alternative user and 4776 event on domain controller

I am running PsExec as a local user (local user mgmttest) as follows: 

 psexec \\mgmt2 -u domain.test\deploy -p password -e -i ipconfig

At this moment, the following event is received on the domain controller: 

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  
 <System>  
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />  
 <EventID>4776</EventID>  
 <Version>0</Version>  
 <Level>0</Level>  
 <Task>14336</Task>  
 <Opcode>0</Opcode>  
 <Keywords>0x8010000000000000</Keywords>  
 <TimeCreated SystemTime="2022-01-11T09:28:35.097336300Z" />  
 <EventRecordID>128219558</EventRecordID>  
 <Correlation />  
 <Execution ProcessID="504" ThreadID="1096" />  
 <Channel>Security</Channel>  
 <Computer>dc01.domain.test</Computer>  
 <Security />  
 </System>  
 - <EventData>  
 <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>  
 <Data Name="TargetUserName">mgmttest</Data>  
 <Data Name="Workstation">mgmt1</Data>  
 <Data Name="Status">0xc0000064</Data>  
 </EventData>  
 </Event>


Why PsExec try to authenticate with a local user on a domain controller and сreating event 4776?

windows-serverwindows-sysinternals-pstools
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered metrolog commented

Hello

Thank you for your question and reaching out.

I can understand you are having some queries regarding event logs after connecting to PsExec.

In my opinion its normal behavior and you can safely ignore it.

Please have a look on below article.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776




--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

metrolog avatar image metrolog ·

Very often, event 4776 is used to detect lateral movement of attackers by a corporate network or to detect pass the hash attack. And it is very strange that such an event is created on behalf of the local and current user

0 Votes 0 ·