Failed Logon Spike — Brute Force and Password Spray

MITRE ATT&CK

Security Relevance

Credential attacks are the most common initial access technique across ransomware, business email compromise, and nation-state intrusions. Automated tools can attempt thousands of passwords per minute. Password spraying — trying one common password against many accounts — is especially dangerous because it stays below lockout thresholds while still being highly effective. A single successful authentication after a failure spike means the attack worked and the environment is actively compromised.

Indicators of Malicious Use

• ⚑20+ Event ID 4625 failures within 5 minutes from a single source IP — automated brute-force threshold.
• ⚑Failures against the same account from many different source IPs — distributed credential stuffing using leaked password lists.
• ⚑Failures against many different accounts from one source IP — password spray pattern (one password tried across all accounts).
• ⚑Sub Status 0xC000006A (wrong password) in bulk — confirms credential guessing, not user error.
• ⚑Sub Status 0xC0000064 (user doesn't exist) — attacker is probing for valid usernames before guessing passwords.
• ⚑Event ID 4740 (account lockout) for multiple accounts within minutes — confirms spray attack crossed your lockout threshold.
• ⚑Event ID 4624 (successful logon) immediately following a failure spike for the same account — the attack succeeded.
• ⚑Failures targeting Administrator, Domain Admin, or service accounts — highest-value targets for credential attacks.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4625
Level:     Information

An account failed to log on.

Account For Which Logon Failed:
  Account Name:  Administrator
  Account Domain: CORP

Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status:         0xC000006D
  Sub Status:     0xC000006A

Network Information:
  Workstation Name: ATTACKER-PC
  Source IP Address: 185.220.101.47

[Repeated 143 times from same IP within 4 minutes]

Log Name: Security
Event ID:  4740

A user account was locked out.

Account That Was Locked Out:
  Account Name:     Administrator

Additional Information:
  Caller Computer Name: ATTACKER-PC

Investigation Steps

1. 1.Identify the pattern first — count failures per source IP and per target account. Brute force is many failures against one account; spray is many accounts from one IP.
2. 2.Check Sub Status codes: 0xC000006A = wrong password (guessing), 0xC0000064 = unknown username (probing), 0xC0000234 = account already locked.
3. 3.Check Caller Computer Name in 4740 events — this field identifies the machine generating the bad passwords, which may be a compromised internal host or an external attacker.
4. 4.Look for Event ID 4624 (successful logon) for any of the targeted accounts after the failure spike — this is the highest priority finding. A success means the attack worked.
5. 5.For internet-facing systems (VPN, RDP, OWA), check whether the source IP is external — block it at the firewall immediately and check threat intelligence feeds for reputation.
6. 6.For internal source IPs, the originating machine may itself be compromised — investigate that machine for malware, credential-harvesting tools, or attacker tooling.
7. 7.Check whether targeted service accounts have had recent password changes — service accounts lock out when a service is still using an old password.

Common False Positives

• ◎User mistyping their password — a handful of failures (fewer than 5) for one account from their workstation, especially during morning hours, is almost certainly benign.
• ◎Cached credentials after a password change — Windows caches domain credentials. After a password change, a laptop that was offline will repeatedly fail with the old cached password until updated.
• ◎Service accounts with a stale password — a Windows service configured with a domain account password that was changed will generate continuous 4625 failures. Check Caller Computer Name and Services on that host.
• ◎Monitoring or vulnerability scanning tools — some authenticated scanners test credentials. Verify against your scheduled scan windows and scanner IP ranges.
• ◎MFA-protected systems during enrollment — some MFA systems generate temporary failures during token enrollment flows.

Remediation

• ✓Block the attacking IP at the firewall immediately if it is an external address generating hundreds of failures.
• ✓Enable account lockout policy if not already configured — recommended: lock after 10 failures, reset counter after 15 minutes, lockout duration 15 minutes.
• ✓Enforce MFA on all accounts exposed to network authentication — VPN, OWA, RDP, and admin portals are highest priority.
• ✓Disable or rename the built-in Administrator account — it is the most commonly targeted account in brute-force attacks.
• ✓For exposed RDP: restrict to VPN-only or use RD Gateway. Never expose RDP port 3389 directly to the internet.
• ✓Implement a SIEM alert: 10+ failures within 5 minutes from a single source, or 5+ different accounts failing from the same IP within 10 minutes.
• ✓Rotate credentials for any account that received failures, especially if a subsequent successful logon was observed.

Related Event IDs

Related Detection Guides