on Jun 3, 2017Overview
We all are so familiar with the 4625 as a failed logon, but did you know that the 4625 has more details relating to why the login failed? I kept these notes regarding this event to write reports for a customer. These notes show the metakeys of interest and also break down the event status and sub status codes.
Parser Version Notes
Recently there were some parser modification to the windows event parsers that changed the metakeys that the status code and sub status code were kept. This table below was compiled from what I have seen in the field.
| Parser Name | Update | Status Code Metakey | Sub Status Code Metakey |
|---|---|---|---|
winevent_nic winevent_er winevent_snare | 102 and earlier | disposition | result.code |
winevent_nic winevent_er winevent_snare | some versions between 102-106 | result.code | fld (throw away) |
winevent_nic winevent_er winevent_snare | 106 (5/24/17) and later | result.code | context (currently not in default Concentrator index) |
Metakeys of Interest
| Metakey Name | Description |
|---|---|
| device.ip | Device IP - System that reported this event |
| reference.id | Windows EventID |
| domain | Windows domain name or local computername for local computer logon |
| user.dst | User account that is failing to login. This can also be a computer account, which ends with a "$". |
| logon.type | Windows Logon Types: 2 - Interactive Console Logon 3 - Network Logon - Background logon, usually for network drives and other shared resources. 4 - Batch - Job scheduling systems or other applications. 5 - Service - Applications that run as a service with user credentials. 7 - Unlock - Console Unlock of password protected screen using local keyboard. 8 - Network Clear Text - Credentials are sent in the clear, IIS basic authentication mode for example. 9 - RunAs - When you right click and use "Run As" on an application. 10 - Remote - Using RDP session to remotely logon.
Logon Types 2,3,10 are the most common |
| ip.src | Source IP of system that attempted to logon |
| alias.host | Hostname of the system that attempted to logon |
| event.computer | Computer that this event 4625 occurred on - someone failed to logon to this system. |
| disposition | Status Code - See the table above regarding this metakey |
| result.code | Status Code or Sub Status Code - See the table above regarding this metakey |
| context | Sub Status Code - See the table above regarding this metakey |
NOTE: The following metakeys are not in the default index and will need to be added to the custom table map and custom concentrator/broker indexes.
event.computer
context
disposition
Status\Sub-Status Code Description
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4625
| Status/Sub Status Code | Description |
|---|---|
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account (Uknown User) |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the Netlogon service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
Sample Queries
The sample queries below cover both sets of metakeys generated by the older and newer updated parsers.
User Does Not Exist - Status Code 0xc000006D Sub Status Code 0xC0000064
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064')) && (not(user.dst ends '$'))
User Bad Password-Status Code 0xc000006D Sub Status Code 0xC000006A
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006d' && context = '0xC000006A') || (disposition = '0xc000006d' && result.code = '0xC000006A')) && (not(user.dst ends '$'))
Disabled User Accounts - Status Code 0xc000006E Sub Status Code 0xc0000072
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000072') || (disposition = '0xc000006e' && result.code = '0xC0000072')) && (not(user.dst ends '$'))
Logon with Expired Password - Status Code 0xc000006E Sub Status Code 0xc0000071
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000071') || (disposition = '0xc000006e' && result.code = '0xC0000071')) && (not(user.dst ends '$'))
User Must Change Password at Next Logon
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((disposition = '0xc0000224' && result.code = '0x0') || ((not(disposition exists)) && result.code = '0xc0000224' && context = '0x0')) && (not(user.dst ends '$'))
User Was Not Granted Rights to Logon - Status Code 0xc000015B Sub Status Code 0x0
medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000015b' && context = '0x0') || (disposition = '0xc000015b' && result.code = '0x0')) && (not(user.dst ends '$'))
Attachments
Windows4625CustomColumns-EventView.jsn.zip - Custom column view for the "Events" view in Investigation.
Investigation-->Events, it's the drop down right next to "Profile". Choose "Manage Column Groups" and import the .jsn file.
Report-User Failed Logon Attempts (4625) FINAL.zip - Windows 4625 Report based on the sample rules in this post. Just import into the Report Engine.
Thanks for taking the time to bring this up, Leonard.
Don't forget the importance of 4624 and 4634. Take this one step further an put it in the ESA. Using this method you can also detect a simple brute force attempt. Say, for example, 100 login attempts followed by a success with in one minute. Use it to find low and slow activity, odd authentication behavior, ops (service logins failing), and so on. This subject is very powerful and often overlooked but is a important factor in any advanced detection implementation.
Tom J