Forum

Ultimate Windows Security Forum » Security Log » 4648 - A logon was attempted using explicit... » Same Subject Account Name and Account whose...

Same Subject Account Name and Account whose... Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
kashish
Posted 12/16/2016 5:54:47 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/19/2018 9:59:54 PM
Posts: 3, Visits: 5
Since 4648 tracks those events in which accounts use explicit credentials, how is it that both subject account name and account whose credentials were used are same? I have an entry like this where the process name has PowerShell. While this may be safe entry, where is the question of explicit credentials being used?
Post #7295
derekthomas
Posted 12/26/2016 4:03:27 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 234, Visits: 0
Can you provide an example of this event?
Post #7301
mongoose
Posted 2/27/2017 4:09:54 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/1/2017 1:54:19 PM
Posts: 1, Visits: 3
Will this type of logon also generate a 4624?
Post #7322
derekthomas
Posted 3/17/2017 7:57:01 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 234, Visits: 0
In some of the cases it does. From the encyclopedia,"Unfortunately this event is also logged in situations where it doesn't seem necessary. For instance logging on interactively to a member server (Win2008 RC1) with a domain account produces an instance of this event in addition to 2 instances of 4624."
Post #7335
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:29am