Event ID 4625 — An account failed to log on.
Description
An account failed to log on.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
Account_Name | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
Account_Domain | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
Logon_ID | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
Security_ID | [Account For Which Logon Failed] Security ID. |
Account_Name | [Account For Which Logon Failed] Account Name. |
Account_Domain | [Account For Which Logon Failed] Account Domain. |
Status HexInt32 | [Failure Information] Status. NTSTATUS reference |
Failure_Reason | [Failure Information] Failure Reason. Known values
|
Sub_Status | [Failure Information] Sub Status. NTSTATUS reference |
Logon_Type | [Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference |
Logon_Process | [Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request. |
Authentication_Package | [Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request. |
Workstation_Name | [Network Information] Workstation Name. Indicates where a remote logon request originated. |
Transited_Services | [Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request. |
Package_Name_NTLM_only | [Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols. |
Key_Length | [Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested. |
Caller_Process_ID | [Process Information] Caller Process ID. Indicates which account and process on the system requested the logon. |
Caller_Process_Name | [Process Information] Caller Process Name. Indicates which account and process on the system requested the logon. |
Source_Network_Address | [Network Information] Source Network Address. Indicates where a remote logon request originated. |
Source_Port | [Network Information] Source Port. Indicates where a remote logon request originated. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4625,
"version": 0,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2016-09-19T16:50:06.477878Z",
"event_record_id": 2455,
"correlation": {
"#attributes": {
"ActivityID": "B864D168-0B7B-0000-89D1-64B87B0BD201"
}
},
"execution": {
"process_id": 752,
"thread_id": 4068
},
"channel": "Security",
"computer": "DESKTOP-M5SN04R",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "JcDfcZTc",
"TargetDomainName": ".",
"Status": "0xc000006d",
"FailureReason": "%%2313",
"SubStatus": "0xc0000064",
"LogonType": 3,
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"WorkstationName": "6hgtmVlrrFuWtO65",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": 0,
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "192.168.198.149",
"IpPort": "50249"
}
}
Detection Patterns #
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.
11 rules
Splunk
Kusto Query Language
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
9 rules
Splunk
Kusto Query Language
Credential Access: Brute Force
Security-Auditing Event ID 4625: An account failed to log on.→Event ID 4624: An account was successfully logged on.
8 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: LLMNR/NBT-NS Poisoning and SMB Relay
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.
8 rules
Elastic
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: Password Spraying
Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
7 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Relay Attack Against
Uses Authentication Normalization
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.
2 rules
Initial Access: Exploit Public-Facing Application
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4648: A logon was attempted using explicit credentials.
1 rule
Community Notes #
The Status field indicates the top-level failure reason; SubStatus provides additional detail. When Status is 0xC000006D (generic logon failure), check SubStatus for the specific cause.
Kerberos result codes (Status, when authentication uses Kerberos):
| Code | Description |
|---|---|
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN — invalid/non-existent user account |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN — requested server not found |
| 0xC | KDC_ERR_POLICY — policy restriction prohibited logon |
| 0x12 | KDC_ERR_CLIENT_REVOKED — account locked, disabled, or expired |
| 0x17 | KDC_ERR_KEY_EXPIRED — expired password |
| 0x18 | KDC_ERR_PREAUTH_FAILED — invalid password |
| 0x25 | KRB_AP_ERR_SKEW — clock skew too great between client and server |
NTSTATUS codes (Status and SubStatus):
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic logon failure — check SubStatus for detail |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account username |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password (username correct) |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Account restriction prevented logon |
| 0xC000006C | STATUS_PASSWORD_RESTRICTION | Password does not meet policy requirements |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Account not allowed to log on at this time |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Account not allowed to log on from this computer |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Expired password |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Disabled account |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC0000133 | STATUS_TIME_DIFFERENCE_AT_DC | Clock skew between client and DC too great |
| 0xC000015B | STATUS_LOGON_TYPE_NOT_GRANTED | Logon type not granted to this account |
| 0xC000018D | STATUS_TRUSTED_RELATIONSHIP_FAILURE | Trust relationship between domain and trusted domain failed |
| 0xC0000192 | STATUS_NETLOGON_NOT_STARTED | Netlogon service not started |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Expired account |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000388 | STATUS_DOWNGRADE_DETECTED | Kerberos/NTLM downgrade detected |
| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Failed Logon From Public IP source medium: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Elastic # view in reference
- Privileged Accounts Brute Force source medium: Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
- Multiple Logon Failure from the same Source Address source medium: Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
Splunk # view in reference
- Detect Password Spray Attempts source: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
- Windows Multiple Users Failed To Authenticate From Process source: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.
- Windows Multiple Users Remotely Failed To Authenticate From Host source: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.
Show 2 more (5 total)
- Windows Unusual Count Of Users Failed To Authenticate From Process source: The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.
- Windows Unusual Count Of Users Remotely Failed To Auth From Host source: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.
Kusto Query Language # view in reference
- Failed logon attempts by valid accounts within 10 mins source low: 'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
- Excessive Windows Logon Failures source low: 'This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4625-failed-logon.md