EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4625Audit FailureSecurityT1110

Windows Event ID 4625Failed Logon

Logged every time an account fails to authenticate via NTLM or local SAM. A single failure is normal; the security signal comes from volume, distribution, and pattern — many failures against one account is brute force, many different accounts from one IP is password spray, and Sub Status 0xC0000064 in bulk is account enumeration. Note: Kerberos failures on domain controllers appear as Event ID 4771 instead.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

4625 is the primary NTLM credential attack indicator. Attackers use automated tools to spray common passwords across accounts or hammer a single account to force a lockout. Left undetected, these attacks lead to account compromise and lateral movement. Because 4625 only covers NTLM and local authentication, a DC showing low 4625 volume but active Kerberos traffic still needs 4771 analysis — relying on 4625 alone creates a blind spot for Kerberos-protocol credential attacks.

Key Fields

Sub Status CodeThe precise failure reason. 0xC000006A = wrong password (correct username — attacker knows the account exists); 0xC0000064 = username does not exist (enumeration); 0xC000006D = generic logon failure; 0xC0000234 = account locked out; 0xC0000072 = account disabled; 0xC000006F = logon outside allowed hours; 0xC0000071 = password expired; 0xC0000193 = account expired
Account NameThe targeted account — Administrator, service account names, and Domain Admin members are the highest-value targets
Source Network AddressThe IP the authentication attempt originated from — the key field for identifying and blocking the attacking host
Logon Type3 = Network (most attack traffic, including SMB and WMI); 2 = Interactive (local/console attack); 10 = RDP brute force. Type tells you the attack vector.
Workstation NameHostname of the source — compare with Source Network Address; a mismatch suggests the source host is spoofing its name or acting as a pivot
Authentication PackageNTLM or Negotiate — most automated spray tools lock to NTLM; Kerberos failures appear as 4771 on DCs rather than here

Investigation Tips

  1. 1.Brute force: 20+ failures against the same Account Name from the same Source Network Address within 5 minutes, all with Sub Status 0xC000006A (wrong password). The correct username + wrong password means the attacker already knows valid account names.
  2. 2.Password spray: one Source Network Address, 5+ distinct Account Names, short window, all 0xC000006A — attacker is trying one or two common passwords across many accounts to stay below the lockout threshold per account.
  3. 3.Account enumeration precursor: bulk failures with Sub Status 0xC0000064 (username does not exist). This is the recon phase — attacker is probing to find which account names are valid before launching credential attacks.
  4. 4.Correlate with 4740 (account lockout) — if your lockout policy is configured, high-volume brute force against a single account will trigger lockouts. Lockout events confirm the threshold was crossed and identify which accounts were targeted.
  5. 5.Credential attack success: 4625 spike from a source IP followed by a 4624 from the same source = attacker succeeded. The time gap between last failure and first success is your detection window. If it's hours, your alerting needs tuning.
  6. 6.RDP brute force (Type 10): failures from an external or VPN IP you don't recognize, usually in bursts. Correlate with firewall logs — many RDP brute-force tools pause between attempts to evade rate limiting.
  7. 7.4625 does not capture Kerberos failures on domain controllers — if a DC shows low 4625 volume but you see suspicious authentication patterns, check Event ID 4771 on the same DC for the Kerberos-protocol view.

Related Event IDs

4624Successful logon — success from the same source after failures = credential attack succeeded
4740Account lockout — confirms brute force crossed the lockout threshold
4771Kerberos pre-auth failed — the Kerberos equivalent on domain controllers
4776NTLM credential validation failure — DC-side NTLM failure event
4648Explicit credential logon — RunAs or network authentication using alternate credentials

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4625

See Event ID 4625 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects failed logon patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →