EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4740T1110

Event ID 4740 — Account Lockout

Event ID 4740 is logged when a Windows user account is locked out after exceeding the failed logon threshold. Account lockouts confirm that a credential attack has crossed the volume threshold set by your lockout policy.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Security Relevance

A single account lockout may be a user mistyping their password. Multiple lockouts — especially against privileged accounts, service accounts, or from the same source — are a strong indicator of an active brute-force or password spray attack. Repeated lockouts can also be used as a denial-of-service technique to lock out critical accounts.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4740
Level:     Information

A user account was locked out.

Subject:
  Security ID:      CORP\DC01$
  Account Name:     DC01$
  Account Domain:   CORP

Account That Was Locked Out:
  Security ID:      CORP\Administrator
  Account Name:     Administrator

Additional Information:
  Caller Computer Name: WORKSTATION-05

Investigation Steps

  1. 1.Identify which account was locked out — Administrator, service accounts, or domain admins are highest priority.
  2. 2.Check the Caller Computer Name — this is the machine that triggered the lockout, which may be the attacker's system.
  3. 3.Correlate with Event ID 4625 (failed logons) to see the full pattern of attempts leading to the lockout.
  4. 4.Check if multiple accounts are being locked out — simultaneous lockouts across many accounts indicate password spraying.
  5. 5.Look for Event ID 4624 (successful logon) after the lockout is cleared — this may indicate the attack succeeded.
  6. 6.Check whether the lockout originated from an expected workstation or a suspicious source.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Unlock affected accounts only after investigating the source — re-enabling an account under active attack will just lock it again.
  • Block the source IP at the firewall if it is external.
  • Enforce MFA on all accounts, especially those being targeted.
  • Review your lockout policy — too-low thresholds cause false positives, too-high thresholds allow more attempts.
  • Consider deploying a honeypot account that should never be authenticated — any lockout on it is guaranteed malicious.
  • Alert on lockouts of service accounts — these should never fail authentication in normal operation.

Related Event IDs

4625Failed logon — the attempts that led to the lockout
4624Successful logon — check for success after lockout is cleared
4767Account unlocked — track when and by whom accounts are re-enabled
4672Special privileges assigned — check if attacker succeeded post-lockout

Related Detection Guides

Failed Logon Spike — Brute Force and Password SprayLateral MovementEvent ID 4625 — Failed Logon

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →