Leonard Chvilicek

Analyst's Reference: Windows 4625

Blog Post created by Leonard Chvilicek Employee on Jun 3, 2017

Overview

We all are so familiar with the 4625 as a failed logon, but did you know that the 4625 has more details relating to why the login failed?  I kept these notes regarding this event to write reports for a customer.  These notes show the metakeys of interest and also break down the event status and sub status codes.

 

Parser Version Notes

Recently there were some parser modification to the windows event parsers that changed the metakeys that the status code and sub status code were kept.  This table below was compiled from what I have seen in the field.  

 

Parser NameUpdateStatus Code MetakeySub Status Code Metakey

winevent_nic

winevent_er

winevent_snare

102 and earlierdispositionresult.code

winevent_nic

winevent_er

winevent_snare

some versions between 102-106result.codefld (throw away)

winevent_nic

winevent_er

winevent_snare

106 (5/24/17) and laterresult.code

context

(currently not in default Concentrator index)

 

Metakeys of Interest

Metakey NameDescription
device.ipDevice IP - System that reported this event
reference.idWindows EventID
domainWindows domain name or local computername for local computer logon
user.dst

User account that is failing to login.  This can also be a computer account, which ends with a "$".

logon.type

Windows Logon Types:

2 - Interactive Console Logon

3 - Network Logon - Background logon, usually for network drives and other shared resources.

4 - Batch - Job scheduling systems or other applications.

5 - Service - Applications that run as a service with user credentials.

7 - Unlock - Console Unlock of password protected screen using local keyboard.

8 - Network Clear Text - Credentials are sent in the clear, IIS basic authentication mode for example.

9 - RunAs - When you right click and use "Run As" on an application.

10 - Remote - Using RDP session to remotely logon.

 

Logon Types 2,3,10 are the most common

ip.src

Source IP of system that attempted to logon

alias.host

Hostname of the system that attempted to logon

event.computer

Computer that this event 4625 occurred on - someone failed to logon to this system.

disposition

Status Code - See the table above regarding this metakey

result.code

Status Code or Sub Status Code - See the table above regarding this metakey

context

Sub Status Code - See the table above regarding this metakey

NOTE:  The following metakeys are not in the default index and will need to be added to the custom table map and custom concentrator/broker indexes.

   event.computer

   context

   disposition

 

Status\Sub-Status Code Description

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4625

 

Status/Sub Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with misspelled or bad user account (Uknown User)
0xC000006AUser logon with misspelled or bad password
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0x0Status OK.

 
Sample Queries

The sample queries below cover both sets of metakeys generated by the older and newer updated parsers.

 

User Does Not Exist - Status Code 0xc000006D Sub Status Code 0xC0000064

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064')) && (not(user.dst ends '$'))

 

User Bad Password-Status Code 0xc000006D Sub Status Code 0xC000006A

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006d' && context = '0xC000006A') || (disposition = '0xc000006d' && result.code = '0xC000006A')) && (not(user.dst ends '$'))

 

Disabled User Accounts - Status Code 0xc000006E Sub Status Code 0xc0000072

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000072') || (disposition = '0xc000006e' && result.code = '0xC0000072')) && (not(user.dst ends '$'))

 

Logon with Expired Password - Status Code 0xc000006E Sub Status Code 0xc0000071

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000071') || (disposition = '0xc000006e' && result.code = '0xC0000071')) && (not(user.dst ends '$'))

 

User Must Change Password at Next Logon

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((disposition = '0xc0000224' && result.code = '0x0') || ((not(disposition exists)) && result.code = '0xc0000224' && context = '0x0')) && (not(user.dst ends '$'))

 

User Was Not Granted Rights to Logon - Status Code 0xc000015B Sub Status Code 0x0

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000015b' && context = '0x0') || (disposition = '0xc000015b' && result.code = '0x0')) && (not(user.dst ends '$'))

 

Attachments

Windows4625CustomColumns-EventView.jsn.zip - Custom column view for the "Events" view in Investigation.

Investigation-->Events, it's the drop down right next to "Profile".  Choose "Manage Column Groups" and import the .jsn file.

 

Report-User Failed Logon Attempts (4625) FINAL.zip - Windows 4625 Report based on the sample rules in this post. Just import into the Report Engine.

Outcomes