EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4625T1110

Event ID 4625 — Failed Logon

Event ID 4625 is logged every time a Windows account fails to authenticate. A single failure is normal, but large volumes — especially against privileged accounts or from a single source IP — indicate a brute-force or credential-stuffing attack.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Security Relevance

Repeated failed logons are one of the most reliable early indicators of a credential attack. Attackers use automated tools to spray common passwords across many accounts (password spraying) or hammer a single account repeatedly (brute force). Left undetected, these attacks can result in account compromise, lateral movement, and full domain takeover.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4625
Level:     Information

An account failed to log on.

Subject:
  Security ID:   SYSTEM
  Account Name:  DESKTOP-01$

Account For Which Logon Failed:
  Account Name:  Administrator
  Account Domain: CORP

Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status:         0xC000006D
  Sub Status:     0xC000006A

Network Information:
  Workstation Name: ATTACKER-PC
  Source IP Address: 192.168.1.105

Investigation Steps

  1. 1.Check the volume — 5+ failures may be accidental, 20+ within 5 minutes is almost certainly automated.
  2. 2.Identify the target account. Attacks against Administrator, Domain Admin, or service accounts are highest risk.
  3. 3.Check the source IP — internal IPs may indicate lateral movement; external IPs indicate an internet-facing attack.
  4. 4.Look for Event ID 4624 (successful logon) shortly after a series of failures — this means the attack succeeded.
  5. 5.Check for Event ID 4740 (account lockout) — if lockouts are triggering, the attack volume is significant.
  6. 6.Review whether the source workstation is a known asset on your network.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Enable account lockout policy (e.g. lock after 10 failures, reset after 30 minutes).
  • Enforce multi-factor authentication on all privileged accounts.
  • Block or geo-restrict RDP and SMB ports from the internet.
  • Disable the built-in Administrator account and rename it.
  • Review and rotate credentials for any accounts targeted in the attack.
  • Consider deploying a SIEM alert for 10+ failures within 5 minutes from a single source.

Related Event IDs

4624Successful logon — check for success after repeated failures
4740Account locked out — confirms high-volume attack
4648Logon using explicit credentials — may indicate pass-the-hash

Related Detection Guides

Failed Logon Spike — Brute Force and Password SprayDetect Pass-the-HashDetect MimikatzLateral MovementCredential DumpingEvent ID 4740 — Account Lockout

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →