Skip to content

4625 An account failed to log on

Written for any logon failure. Reading the failure reason code and the pattern of occurrences makes it a key event for detecting authentication attacks such as brute force and password spraying.

Overview

The subcategories are Audit Account Lockout and Audit Logon. It is generated on the machine where the logon was attempted, on domain controllers, member servers, and workstations alike. Why it failed shows in the Status / Sub Status reason codes, and which method was used shows in LogonType. It is the counterpart to the success event 4624.

How it is triggered

  • A logon attempt with a wrong password, or against a nonexistent, disabled, or locked account.
  • Failures over the network (LogonType 3), interactive (2), RDP (10), and so on.
  • The reason is distinguished by Status/Sub Status codes. Common ones:
    • 0xC0000064 nonexistent user name (a sign of username enumeration)
    • 0xC000006A wrong password (an attempt against an existing user)
    • 0xC0000072 disabled account
    • 0xC0000234 locked-out account
    • 0xC000006F logon outside permitted hours / 0xC0000070 logon from an unauthorized workstation

Security review points

  • Brute force: many failures against a single account from a single source in a short time. Detect by threshold, for example more than 50 in one minute.
  • Password spraying: a few attempts each against many accounts from one source (MITRE ATT&CK T1110.003). Failures per account are low but anomalous across the set. Spraying over SMB leaves 4625 on the DC, but over LDAP or Kerberos a 4625 may not appear, in which case 4771 (Kerberos pre-authentication failure) must also be watched.
  • A Process Name outside standard folders, or containing a suspicious name like mimikatz, warrants investigation. A mismatch between LogonType and the account (such as an administrator failing with Batch/Service) is another focus.

Notes for log review

  • A single failure is everyday (a mistyped password). Look at the “same source, short time, many” pattern rather than the raw count.
  • Aggregating by source IP, workstation name, target account, and reason code helps separate brute force from spraying.
  • Attacks over LDAP/Kerberos surface poorly in 4625. Do not rely on 4625 alone; combine it with Kerberos logs (4771 / 4768) and NTLM validation 4776.

Key fields

FieldMeaning
Account For Which Logon Failed\Account NameThe targeted account
Status / Sub StatusThe failure reason code; used to infer the attack type
LogonTypeThe logon kind (2/3/10, etc.)
Source Network Address / Workstation NameThe source of the attempt; aggregation axes
Authentication PackageNTLM / Kerberos / Negotiate

References