4625 - Authentication Failure

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Event ID 4625 is a critical security event in Windows environments, indicating a failed logon attempt. This event is logged on the system where the logon attempt was made and provides detailed information about the nature of the failure. Monitoring and analyzing these events is crucial for detecting potential security breaches, understanding attack vectors, and enhancing overall system security.

Key Details of Event ID 4625

Log Location: Security log.
- %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
Category: Audit Logon
Level: Audit Failure.

When It Is Logged

Event ID 4625 is logged whenever a logon attempt fails. This includes various scenarios, such as:

Incorrect password entries.
Attempts to access disabled accounts.
Logins at times not allowed by the account's policies.
Attempts to log on with expired accounts.

Information Contained in the Log

An Event ID 4625 log contains several critical pieces of information that help in diagnosing the failure:

Logon Type: Specifies the type of logon that was requested, which helps in identifying how the failed attempt was made (e.g., interactive, network, remote desktop).
Subject: Information about the account that requested the logon.
- Security ID: The SID of the requesting account, usually "NULL SID" for failed attempts.
- Account Name: Name of the account, often blank or "ANONYMOUS LOGON".
Account For Which Logon Failed: Provides details about the target account.
- Security ID: The SID of the account for which the logon attempt was made.
- Account Name: The name of the account.
- Account Domain: The domain of the account.
Failure Information: Details about the failure.
- Failure Reason: A text description of why the logon attempt failed (e.g., "Unknown user name or bad password").
- Status: A code representing the logon failure reason (e.g., 0xC000006D for a bad username).
- Sub Status: More specific failure code (e.g., 0xC0000064 for a user name that does not exist).
Caller Process Information: Information about the process that attempted the logon.
- Caller Process ID: The ID of the process.
- Caller Process Name: The name of the process.
Network Information: Details about network logons.
- Workstation Name: Name of the workstation from which the attempt originated.
- Source Network Address: The IP address of the client machine.
- Source Port: The port number used by the client machine.
Detailed Authentication Information: More details about the authentication.
- Logon Process: The process that managed the logon attempt.
- Authentication Package: The package that was used to authenticate the user.
- Transited Services: Lists the services that participated in the logon request (usually not applicable for failed logons).
- Package Name (NTLM only): Shows the NTLM package name if NTLM was used.

Importance for Security

Event ID 4625 is instrumental for security monitoring for several reasons:

Intrusion Detection: Repeated failed logon attempts may indicate a brute force attack or an attempt to guess passwords.
Account Misuse: Failed logins can also suggest that legitimate users are attempting to access resources for which they don't have permissions.
Insider Threats: Anomalies in the pattern of failed logons could signal malicious activities by insiders.
Compliance and Forensics: For compliance with various regulatory standards, logging and analyzing failed logon attempts is necessary. They also provide forensic evidence in the event of a security breach.

Tools and Strategies for Analysis

Windows Event Viewer: Manual inspection and filtering of event logs for 4625 events.
PowerShell: Automation of log extraction and analysis tasks, identifying patterns or trends in failed logon attempts.
SIEM Systems: Centralized logging and analysis, correlating 4625 events with other indicators of compromise (IoCs) for a comprehensive security posture.
Alerting Mechanisms: Configuring real-time alerts for specific patterns of failed logons (e.g., thresholds of failed attempts, logon attempts outside business hours) to enable rapid response to potential security incidents.

PreviousLogon Types NextSubStatus Codes

Last updated 1 year ago

Was this helpful?

4625 - Authentication Failure

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Key Details of Event ID 4625

Log Location: Security log.
- %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
Category: Audit Logon
Level: Audit Failure.

When It Is Logged

Event ID 4625 is logged whenever a logon attempt fails. This includes various scenarios, such as:

Incorrect password entries.
Attempts to access disabled accounts.
Logins at times not allowed by the account's policies.
Attempts to log on with expired accounts.

Information Contained in the Log

An Event ID 4625 log contains several critical pieces of information that help in diagnosing the failure:

Logon Type: Specifies the type of logon that was requested, which helps in identifying how the failed attempt was made (e.g., interactive, network, remote desktop).
Subject: Information about the account that requested the logon.
- Security ID: The SID of the requesting account, usually "NULL SID" for failed attempts.
- Account Name: Name of the account, often blank or "ANONYMOUS LOGON".
Account For Which Logon Failed: Provides details about the target account.
- Security ID: The SID of the account for which the logon attempt was made.
- Account Name: The name of the account.
- Account Domain: The domain of the account.
Failure Information: Details about the failure.
- Failure Reason: A text description of why the logon attempt failed (e.g., "Unknown user name or bad password").
- Status: A code representing the logon failure reason (e.g., 0xC000006D for a bad username).
- Sub Status: More specific failure code (e.g., 0xC0000064 for a user name that does not exist).
Caller Process Information: Information about the process that attempted the logon.
- Caller Process ID: The ID of the process.
- Caller Process Name: The name of the process.
Network Information: Details about network logons.
- Workstation Name: Name of the workstation from which the attempt originated.
- Source Network Address: The IP address of the client machine.
- Source Port: The port number used by the client machine.
Detailed Authentication Information: More details about the authentication.
- Logon Process: The process that managed the logon attempt.
- Authentication Package: The package that was used to authenticate the user.
- Transited Services: Lists the services that participated in the logon request (usually not applicable for failed logons).
- Package Name (NTLM only): Shows the NTLM package name if NTLM was used.

Importance for Security

Event ID 4625 is instrumental for security monitoring for several reasons:

Intrusion Detection: Repeated failed logon attempts may indicate a brute force attack or an attempt to guess passwords.
Account Misuse: Failed logins can also suggest that legitimate users are attempting to access resources for which they don't have permissions.
Insider Threats: Anomalies in the pattern of failed logons could signal malicious activities by insiders.
Compliance and Forensics: For compliance with various regulatory standards, logging and analyzing failed logon attempts is necessary. They also provide forensic evidence in the event of a security breach.

Tools and Strategies for Analysis

Windows Event Viewer: Manual inspection and filtering of event logs for 4625 events.
PowerShell: Automation of log extraction and analysis tasks, identifying patterns or trends in failed logon attempts.
SIEM Systems: Centralized logging and analysis, correlating 4625 events with other indicators of compromise (IoCs) for a comprehensive security posture.
Alerting Mechanisms: Configuring real-time alerts for specific patterns of failed logons (e.g., thresholds of failed attempts, logon attempts outside business hours) to enable rapid response to potential security incidents.

PreviousLogon Types NextSubStatus Codes

Last updated 1 year ago

Was this helpful?