Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
- • Introduction
- • Description of Event Fields
- • Reasons to monitor
- • The need for a third-party tool
Introduction
Event ID 4625 (viewed inWindowsEventViewer) documents every failed attempt at logging on toa local computer. This event is generated on the computer fromwhere thelogonattempt was made.A related event, Event ID 4624 documents successful logons.
Event 4625 applies to the followingoperating systems: WindowsServer2008 R2 andWindows7, WindowsServer 2012 R2 andWindows8.1,and WindowsServer2016 andWindows10. Corresponding events inWindowsServer 2003 and earlier included529,530,531,532,533,534,535,536,537, and539for failed logons.
Event ID 4625 looks a little different acrossWindows Server 2008, 2012, and 2016.Highlighted in the screenshots below are the important fields across each of these versions.
Event 4625 (Windows 2008)
Event 4625 (Windows2012)
Event 4625 (Windows 2016)
Description of Event Fields
Theimportant information that can be derived from Event 4625 includes:
- • Logon Type:Thisfield reveals the kind of logon that was attempted. In other words,it points outhow the user tried logging on.There are a total of nine different types of logons.The most common logon types are: logon type 2 (interactive) and logon type 3 (network).Any logon type other than 5 (which denotes a service startup) is a red flag. For a description of the different logon types,seeEvent ID 4624.
- • Account For Which Logon Failed: This section reveals theAccount Name of the user who attempted the logon.
- • Failure Information: This section explains thereasons for the logon failure. The Failure Reason fieldincludes ashort explanation, while the Statusand Sub Status fieldslist hexadecimal codes, the most common of which are explained below.
Status and Sub Status Codes
Description
0xC0000064
The usernameis misspelled or does not exist.
0xC000006A
Theuser's passwordis wrong.
0xC000006D
The username or authentication information is incorrect.
0xC0000234
The user is currently locked out.
0xC0000072
Theuser accountis currently disabled.
0xC000006F
Theuser tried to log on outside authorized hours.
0xC0000070
Theuser tried to log on from an unauthorized workstation.
0xC0000193
Theuser's accounthas expired.
0xC0000071
Theuser's password has expired.
0xC0000133
Thedomain controller and computer's times areout of sync.
0xC0000224
Theuser is required to changetheirpassword at next logon.
0xc000015b
Theuser has not been granted the requested logon typeon that machine.
Other information that can be obtained fromEvent 4625:
- • TheSubject sectionrevealsthe account on the local systemthat requested the logon (not the user).
- • TheProcess Information section revealsdetails surrounding the process that attempted the logon.
- • TheNetworkInformation sectionreveals where the user was when they attempted the logon. If the logon was initiatedfromyourcurrent computer, this information will either be blank or reflectthat local computer's workstation name and source network address.
- • The DetailedAuthentication section reveals information about the authentication package used while attempting the logon.
Reasons to monitor failed logons:
Security
To detectbrute-force, dictionary, and other password guess attacks, which are characterized by a sudden spike in failed logons.
To detect abnormaland possiblymalicious internal activity, like a logon attempt from a disabled account or unauthorized workstation, users logging on outside of normal working hours, etc.
Operational
Tocome up with a benchmark fortheAccount lockout threshold policy setting, which determines the number of failed sign-in attemptsbefore a user accountgets locked.
Compliance
To comply with regulatory mandatesprecise information surrounding failed logons is necessary.
Theneed for athird-partytool
In a typical IT environment, the number of events with ID 4625 (failed logon) can run into the thousands each day.Failed logons are useful on their own, but greater insights into network activity can be drawn from clear connections between them and other pertinent events.
For example, while Event 4625 is generated when an account fails to log on and Event 4624 is generatedfor successfullogons, neither of these eventsreveal if thesameaccounthas recently experienced both. You have to correlate Event 4625 with Event 4624 using their respective Logon IDs tofigure that out.
Thus,event analysis and correlation needs to beperformed. Native tools and PowerShell scriptsdemand expertise and time when employed to this end,so a third-party tool istrulyindispensable.
Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.
For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.
If you want to explore the product for yourself, download the free, fully-functional 30-day trial.
If you want an expert to take you through a personalized tour of the product, schedule a demo.
Detect malicious Active Directory logon activity.
ManageEngine ADAudit Plus employs machine learning to alert you whenever a user with possibly malicious intent logs on.
3 of every 5 Fortune 500 companies trust ManageEngine to manage their IT.
Try for free
✖
The 8 most critical windows security events that you must monitor.
Thank you for your interest!
We’ve sent the guide to your inbox.
Thanks for visiting.
Before you leave, check out our guide on the 8 most critical Windows security events you must monitor.
