Event ID 4625 - An account failed to logon
Json log sample:
{
"EventTime": "2017/08/25 14:09:12"
"Hostname": "CIVDCS-ADC1.changeme.com"
"Keywords": -9218868437227405312
"EventType": "AUDIT_FAILURE"
"SeverityValue": 4
"Severity": "ERROR"
"EventID": 4625
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12544
"OpcodeValue": 0
"RecordNumber": 56611365
"ProcessID": 528
"ThreadID": 4672
"Channel": "Security"
"Message": "An account failed to log on."
"Category": "Logon"
"Opcode": "Info"
"SubjectUserSid": "S-1-0-0"
"SubjectUserName": "-"
"SubjectDomainName": "-"
"SubjectLogonId": "0x0"
"TargetUserSid": "S-1-0-0"
"TargetUserName": "MININT-UP26I95$"
"TargetDomainName": "changeme"
"Status": "0xc000006d"
"FailureReason": "%%2313"
"SubStatus": "0xc000006a"
"LogonType": "3"
"LogonProcessName": "NtLmSsp "
"AuthenticationPackageName": "NTLM"
"WorkstationName": "MININT-UP26I95"
"TransmittedServices": "-"
"LmPackageName": "-"
"KeyLength": "0"
"ProcessName": "-"
"IpAddress": "172.23.130.64"
"IpPort": "65284"
"EventReceivedTime": "2017/08/25 14:09:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
This event is very important and highly valuable. It documents all failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.
Subject User Information:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows
Status and Sub Status Code:
Failure Reason:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows
logon_type | description | |
2 | Interactive | |
3 | Network | |
4 | Batch | |
5 | Service | |
7 | Unlock | |
8 | NetworkCleartext | |
9 | NewCredentials | |
10 | RemoteInteractive | |
11 | CachedInteractive |
Status and Sub Status Code:
status and sub_status_code | description |
0XC000005E | There are currently no logon servers available to service the logon request. |
0xC0000064 | user name does not exist |
0xC000006A | user name is correct but the password is wrong |
0XC000006D | This is either due to a bad username or authentication information |
0XC000006E | Unknown user name or bad password. |
0xC000006F | user tried to logon outside his day of week or time of day restrictions |
0xC0000070 | workstation restriction or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
0xC0000071 | expired password |
0xC0000072 | account is currently disabled |
0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
0xC0000133 | clocks between DC and other computer too far out of sync |
0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
0XC0000192 | An attempt was made to logon but the netlogon service was not started. |
0XC0000193 | account expiration |
0XC0000224 | user is required to change password at next logon |
0xC0000225 | evidently a bug in Windows and not a risk |
0xC0000234 | user is currently locked out |
0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
Failure Reason:
Failure reason | information | |||
%%2305 | The specified user account has expired. | |||
%%2309 | The specified account's password has expired. | |||
%%2310 | Account currently disabled. | |||
%%2311 | Account logon time restriction violation. | |||
%%2312 | User not allowed to logon at this computer. | |||
%%2313 | Unknown user name or bad password. |
Network Information:
"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request
"IpPort" -> source TCP port of the logon request
"WorkstationName" -> the computer name of the computer where the user is physically present. Workstation may be blank in some Kerberos logons.
Why should you monitor this event?
Why should you monitor this event?
- To detect brute-force, dictionary, and other password guess attacks. Monitor sudden spike in failed logons.
- To detect abnormal and possible malicious internal activity. Monitor a logon attempt from a disabled account or unauthorized workstation, users logging on outside of normal working hours, etc.
- To benchmark Account lockout threshold policy setting. Determine number of failed login attempts before a user account gets locked.
- To comply with regulatory mandates precise information surrounding failed logons is necessary.
No comments:
Post a Comment