Forum Discussion

Tali Ash's avatar
Tali Ash
Iron Contributor
Sep 24, 2019

Enriched NTLM authentication data using Windows Event 8004

Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the ne...
truekonrads's avatar
truekonrads
Brass Contributor
Mar 19, 2020

Tali Ashhi - we enabled NTLM auditing however no 8004 events are generated despite 4776s being generated. We verified that NTLM auditing is enabled using gpresult.

 

Any tips to debug?

LoicMichel's avatar
LoicMichel
Copper Contributor
Oct 31, 2020
Hi, did you ever find a solution to events 8004 not being generated? I'm in the same situation.
Regards
Loic
  • Andy Loy's avatar
    Andy Loy
    Copper Contributor
    Dec 02, 2020

    LoicMichel 

     

    Hi can I just add an additional question to this if I may.... 

     

    Is there any pre-considerations around enabling for eventid 8004 on live DC's? 

     

    Such as: 

     

    1. Potential volume of event logs and potential knock on - local event ID file size/frequency of log overwrites?

    2. DC local performance concerns once enabled? 

    3. If using other complementary log forwarding solution (e.g. ATP Defender for Server) - knock on log volume ingestation to Log Analytics/Sentinel. 

     

    Thanks in advance 

     

    Andy  

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Dec 03, 2020

      Andy Loy 
      1. I guess you should see an event for every 4776 you currently have.
      It goes to a separate log,  not the default security log.

      2. Never heard a report about a significant performance issue due to turning this on.

      3. Can't tell. I guess you can estimate from answer #1 the increase, if at all this info will go there, as I mentioned, its a separate log.

      • Andy Loy's avatar
        Andy Loy
        Copper Contributor
        Dec 03, 2020

        EliOfek 

         

        Thanks Eli - Can I just follow on from your answer: 

         

        "1. I guess you should see an event for every 4776 you currently have.
        It goes to a separate log,  not the default security log." 

         

        I foundhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 that seems to suggest eventID 4776 is logged to Security event log?? 

         

Resources