|
|
Forum Newbie
      
Group: Forum Members
Last Login: 11/19/2018 9:59:54 PM
Posts: 3,
Visits: 5
|
|
Since 4648 tracks those events in which accounts use explicit credentials, how is it that both subject account name and account whose credentials were used are same? I have an entry like this where the process name has PowerShell. While this may be safe entry, where is the question of explicit credentials being used?
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
Can you provide an example of this event?
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 3/1/2017 1:54:19 PM
Posts: 1,
Visits: 3
|
|
Will this type of logon also generate a 4624?
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
In some of the cases it does. From the encyclopedia,"Unfortunately this event is also logged in situations where it doesn't seem necessary. For instance logging on interactively to a member server (Win2008 RC1) with a domain account produces an instance of this event in addition to 2 instances of 4624."
|
|
|
|