Why am I seeing Event ID 4648?

4648 fires when a process authenticates with credentials different from the current session — RunAs, network authentication with alternate accounts, and scheduled tasks with stored credentials all generate 4648 normally. It becomes suspicious when the source process is LSASS, a scripting engine, or an unexpected parent process, or when Subject Account Name differs from the account being used to authenticate.

Is Event ID 4648 a sign of lateral movement?

Not always, but it's a key lateral movement signal when correlated. Stolen credential use generates 4648 on the source host (where credentials are presented) before the 4624 success on the destination. The critical indicator is Subject Account Name ≠ Account Name Used — that mismatch means a process is authenticating as a different identity than the logged-on user.

What's the difference between Event ID 4648 and 4624?

4624 is logged on the target system when authentication succeeds. 4648 is logged on the source system when explicit credentials are presented. In lateral movement, you'll see 4648 on the attacker's pivot host and 4624 Logon Type 3 on the compromised target. Together they reconstruct the full lateral movement hop — 4648 shows the origin, 4624 shows the destination.

Which processes generating 4648 are most suspicious?

LSASS.exe using explicit credentials is a strong indicator of impersonation or credential abuse. PowerShell.exe, cmd.exe, or scripting engines (wscript, cscript) authenticating as different accounts are common in post-exploitation. Scheduled task hosts (taskeng.exe, svchost.exe) generating 4648 with unexpected credentials outside of known automation windows are also high priority.

Scan your Security and Sysmon logs·Detection guides

Event ID 4648Audit SuccessSecurityT1550.002

Windows Event ID 4648 — Logon with Explicit Credentials

Logged when a process attempts to authenticate using explicitly provided credentials — e.g. runas, net use, or Pass-the-Hash attacks.

MITRE ATT&CK

Technique

T1550.002 · Pass the Hash

Tactic

Lateral Movement

View on attack.mitre.org →

Why It Matters

Attackers who have stolen credentials use explicit-credential logons to move laterally without logging into a new interactive session. High volumes of 4648, especially from LSASS or unusual processes, are a strong lateral movement indicator.

Key Fields

Account Name (Subject)The account performing the logon — who is providing credentials

Account Name (Credentials Used)The account whose credentials are being used

Target Server NameWhat system or service is being accessed

Process NameWhat process initiated the credential use — lsass.exe is normal; others may not be

Investigation Tips

1.Look for 4648 where the Subject and Credentials Used accounts differ — this is explicit credential use.
2.Correlate with 4624 Type 3 on the target system to confirm successful lateral movement.
3.runas.exe in the process name is normal admin activity; powershell.exe or cmd.exe are more suspicious.

Seeing Event ID 4648 in your own logs? Upload an .evtx file — EventPeeker flags logon with explicit credentials automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4624Logon event on the target system

4625Failed logon if the credentials were rejected

4672Special privileges if the used account is privileged

Frequently Asked Questions

Why am I seeing Event ID 4648?: 4648 fires when a process authenticates with credentials different from the current session — RunAs, network authentication with alternate accounts, and scheduled tasks with stored credentials all generate 4648 normally. It becomes suspicious when the source process is LSASS, a scripting engine, or an unexpected parent process, or when Subject Account Name differs from the account being used to authenticate.
Is Event ID 4648 a sign of lateral movement?: Not always, but it's a key lateral movement signal when correlated. Stolen credential use generates 4648 on the source host (where credentials are presented) before the 4624 success on the destination. The critical indicator is Subject Account Name ≠ Account Name Used — that mismatch means a process is authenticating as a different identity than the logged-on user.
What's the difference between Event ID 4648 and 4624?: 4624 is logged on the target system when authentication succeeds. 4648 is logged on the source system when explicit credentials are presented. In lateral movement, you'll see 4648 on the attacker's pivot host and 4624 Logon Type 3 on the compromised target. Together they reconstruct the full lateral movement hop — 4648 shows the origin, 4624 shows the destination.
Which processes generating 4648 are most suspicious?: LSASS.exe using explicit credentials is a strong indicator of impersonation or credential abuse. PowerShell.exe, cmd.exe, or scripting engines (wscript, cscript) authenticating as different accounts are common in post-exploitation. Scheduled task hosts (taskeng.exe, svchost.exe) generating 4648 with unexpected credentials outside of known automation windows are also high priority.

Go deeper: the full Detect Pass-the-Hash — NTLM Lateral Movement & Suspicious Network Logons guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Detect Pass-the-Hash — NTLM Lateral Movement & Suspicious Network Logons guide →

See Event ID 4648 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects logon with explicit credentials patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →