Windows Event ID 4625 — Failed Logon

MITRE ATT&CK

Why It Matters

4625 is the primary NTLM credential attack indicator. Attackers use automated tools to spray common passwords across accounts or hammer a single account to force a lockout. Left undetected, these attacks lead to account compromise and lateral movement. Because 4625 only covers NTLM and local authentication, a DC showing low 4625 volume but active Kerberos traffic still needs 4771 analysis — relying on 4625 alone creates a blind spot for Kerberos-protocol credential attacks.

Key Fields

Investigation Tips

1. 1.Brute force: 20+ failures against the same Account Name from the same Source Network Address within 5 minutes, all with Sub Status 0xC000006A (wrong password). The correct username + wrong password means the attacker already knows valid account names.
2. 2.Password spray: one Source Network Address, 5+ distinct Account Names, short window, all 0xC000006A — attacker is trying one or two common passwords across many accounts to stay below the lockout threshold per account.
3. 3.Account enumeration precursor: bulk failures with Sub Status 0xC0000064 (username does not exist). This is the recon phase — attacker is probing to find which account names are valid before launching credential attacks.
4. 4.Correlate with 4740 (account lockout) — if your lockout policy is configured, high-volume brute force against a single account will trigger lockouts. Lockout events confirm the threshold was crossed and identify which accounts were targeted.
5. 5.Credential attack success: 4625 spike from a source IP followed by a 4624 from the same source = attacker succeeded. The time gap between last failure and first success is your detection window. If it's hours, your alerting needs tuning.
6. 6.RDP brute force (Type 10): failures from an external or VPN IP you don't recognize, usually in bursts. Correlate with firewall logs — many RDP brute-force tools pause between attempts to evade rate limiting.
7. 7.4625 does not capture Kerberos failures on domain controllers — if a DC shows low 4625 volume but you see suspicious authentication patterns, check Event ID 4771 on the same DC for the Kerberos-protocol view.

Detection Logic

// Brute force: 20+ failures against one account from one source within 5 minutes
SecurityEvent
| where EventID == 4625
| summarize FailCount=count() by TargetAccount, IpAddress, bin(TimeGenerated, 5m)
| where FailCount >= 20
| sort by TimeGenerated desc

// Password spray: one IP targeting 5+ distinct accounts within 30 minutes
SecurityEvent
| where EventID == 4625
| summarize Accounts=dcount(TargetAccount), IPs=make_set(IpAddress)
    by IpAddress, bin(TimeGenerated, 30m)
| where Accounts >= 5
| extend Alert = "Password spray — one source targeting multiple accounts"
| sort by TimeGenerated desc

Related Event IDs

Frequently Asked Questions

Why am I getting so many Event ID 4625 failed logon events?

Multiple legitimate causes generate 4625: a user mistyping their password, a service configured with an old credential, a laptop cached with a stale password reconnecting to the domain, or a scheduled task with an expired account. Check the SubStatus code first — 0xC000006A (wrong password) from one account occasionally is normal. What's not normal: the same SubStatus from one source IP across many accounts (password spray), 20+ failures for one account within 5 minutes from one IP (brute force), or failures for accounts that don't exist (0xC0000064, account enumeration). Use the source IP and account variance to distinguish attack from noise.

Is Event ID 4625 always a sign of an attack?

No. Single failed logons are routine — users mistype passwords, services have stale credentials, and laptops reconnect with cached passwords. Attack patterns are defined by volume, velocity, and spread: brute force shows many failures for one account from one IP in rapid succession; password spray shows one or two failures per account across many accounts from one IP in a short window; credential stuffing hits many accounts from many IPs. Check the Failure Reason and SubStatus fields — 0xC000006A (bad password) repeatedly is suspicious; 0xC0000064 (no such user) in bulk is account enumeration.

How do I tell the difference between brute force and password spray in Event ID 4625?

Brute force: many 4625 failures for the same TargetUserName from the same source IP — attacker is hammering one account with many passwords. Password spray: one or two failures per TargetUserName, but many different TargetUserNames from the same source IP — attacker is trying one common password across the entire org to stay under lockout thresholds. In your SIEM: group 4625 by SourceIPAddress; brute force = one IP, one account, count > 10; spray = one IP, many distinct TargetUserNames, failures spread evenly. Spray is harder to trigger lockouts but equally effective.

My account keeps locking out — how do I find the source using Event ID 4625?

Filter 4625 for your account name (TargetUserName) and look at the IpAddress field — this shows where the failed attempts are coming from. Also check the Workstation Name field if IpAddress is blank (common for Type 2 interactive lockouts). Correlate with Event 4740 (account lockout) on the DC — 4740 includes the Caller Computer Name that triggered the lockout. Common culprits: a phone or tablet cached with an old password, a mapped drive with saved credentials, or an old RDP session reconnecting automatically. If IpAddress shows an external IP, treat as an active attack.