Overview
We all are so familiar with the 4625 as a failed logon, but did you know that the 4625 has more details relating to why the login failed? I kept these notes regarding this event to write reports for a customer. These notes show the metakeys of interest and also break down the event status and sub status codes. The event will appear on the system that the failed attempt occurred. This event generates on domain controllers, member servers, and workstations.
Full Metakey and Sample Data List - Commonly Used Keys Highlighted
|
Metakey Name |
Sample Data |
Meta Origin |
Description |
| sessionid | 3060968 | NetWitness | Session ID that can be used in Investigate to retrieve this specific event |
| time | 08-26-2021T06:49:27.000PMZ | NetWitness | Log Decoder Collection Time - This will be later than event.time |
| size | 2704 | NetWitness | Size of Log Data |
| did | logdecoderdev40 | NetWitness | Decoder that processed the event |
| device.ip | 10.0.0.102 | NetWitness | IP Address of the Device that Sent the Event - if using a WEC, this will be the WEC IP address |
| medium | 32 | NetWitness | Network Medium (32 = Logs) |
| device.type | windows | NetWitness | Device Parser used to Create the meta (device.type='windows' in this case) |
| device.class | Windows Hosts | NetWitness | Overall Class of devices, allows grouping of several device types into single category.
Simplifies queries, for example: device.type = 'windows','winevent_nic','winevent_er','winevent_snare' Is the same as: device.class = 'windows hosts' |
| header.id | 0001 | NetWitness | Log Parser Header Number |
| client | NWE | Raw Log | Indicating this is an Endpoint Agent performing the log collection on the device. |
| ip.addr | 10.0.0.102 | Raw Log | IP address of the system that generated the event |
| netname | private misc,private src | NetWitness | generated by the Traffic Flow Lua Parser on the Log Decoder |
| alias.host | LAB-WIN10 | Raw Log | Computer short hostname where the event occurred |
| event.source | Microsoft Windows security auditing. | Raw Log | Provider Name |
| severity | Information | Raw Log | Log Event Level |
| category | Logon | Raw Log | Category of Event |
| version | 0 | Raw Log | Version |
| event.type | Audit Failure | Raw Log | Keywords Field |
| event.computer | LAB-WIN10.lab.local | Raw Log | Fully Qualified hostname where the 4625 event occurred |
| event.user | Raw Log | DOMAIN\Username is captured here - It is empty for 4625 event | |
| user.dst | badusernamegoodpass | Raw Log | Username that was used to attempt the logon - this value can also be a computer account (ends with $) |
| domain | lab | Raw Log | The target domain name used to attempt the authentication against - typcially auto prepended to user above |
| event.desc | An account failed to log on. | Raw Log | Generic Description of event |
| logon.type | 3 | Raw Log | Logon Type - See Table 1 below |
| result | Unknown user name or bad password. | Raw Log | Generic description of logon failure |
| result.code | 0xC000006D | Raw Log | Status Code - See Table 2 below |
| context | 0xC0000064 | Raw Log | Substatus Code - See Table 2 below |
| host.src | VIDEO | Raw Log | Source computer name being used to attempt the logon |
| ip.src | 10.0.0.146 | Raw Log | Source computer IP address being used to attempt the logon |
| ip.srcport | 0 | Raw Log | Source port that was used for logon attempt from remote machine - 0 for interactive logons |
| process | NtLmSsp | Raw Log | Logon process name |
| ec.theme | Authentication | NetWitness | Normalization metakey generated by NetWitness |
| ec.subject | User | NetWitness | Normalization metakey generated by NetWitness |
| ec.activity | Logon | NetWitness | Normalization metakey generated by NetWitness |
| ec.outcome | Failure | NetWitness | Normalization metakey generated by NetWitness |
| reference.id | 4625 | Raw Log | Windows Event ID |
| logon.type.desc | network | NetWitness | Normalization metakey generated by NetWitness |
| event.time | 08-26-2021T06:48:38.000PMZ | Raw Log | Actual time that event occurred, this is different from "Colleciton Time" |
| disposition | FAILURE | NetWitness | Normalization metakey generated by NetWitness |
| msg.id | Security_4625 | NetWitness | The message line matching in the Log Parser |
| event.cat.name | User.Activity.Failed Logins | NetWitness | Normalization metakey generated by NetWitness |
| device.disc | 95 | NetWitness | Device Discovery Confidence level for automatic parser mapping |
| device.disc.type | windows | NetWitness | Assigned parser |
| device.group | All Windows Event Source(s) | NetWitness | Event Source Device Group in |
| alert.id | account:logon-failure | NetWitness | Legacy metakey generated by Log Decoder Application Rule |
| inv.category | assurance,identity,identity,threat | NetWitness | Provided Investigation Categorization |
| inv.context | audit,compliance,authentication,action on objectives,attack phase,authentication,lateral movement | NetWitness | Provided Investigation Context |
| feed.name | investigation,investigation | NetWitness | Feed names that create the NetWitness sourced meta |
| ioc | pass the hash | NetWitness | Indicator of compromise |
| attack.tactic | defense-evasion,lateral-movement | NetWitness | MITRE ATT&CK Mapping - Tactic |
| attack.technique | pass the hash | NetWitness | MITRE ATT&CK Mapping - Technique |
| attack.tid | T1550.002 | NetWitness | MITRE ATT&CK Mapping - Technique ID |
Table 1 - "logon.type" Metakey values
|
Logon Type |
Logon Title |
Description |
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Table 2 - "result.code" and "context" Metakey values
|
Status\Sub-Status Code |
Description |
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (also called the logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the Netlogon service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
Parser Metakey Changes
There have been some Windows Parser changes over the years that have moved the Status/SubStatus codes to different metakeys. See the table noted below for these changes.
|
Date |
Status Code |
Substatus Code |
|---|---|---|
| Before 5/24/2017 | disposition | result.code |
| After 5/24/2017 | result.code | context |
To account for this change the queries will need the "OR" statement in the query for data collected prior to 5/24/2017
((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064'))
This may be required to effectively query data from an archiver with an older dataset prior to 5/24/2017.
Sample Queries
The sample queries below cover both sets of metakeys generated by the older and newer updated parsers.
User Does Not Exist - Status Code 0xc000006D Sub Status Code 0xC0000064
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc000006d' AND context='0xC0000064' ) OR ( disposition='0xc000006d' AND result.code='0xC0000064' ) ) AND ( NOT(user.dst ends '$') ) |
Valid User - Bad Password - Status Code 0xc000006D Sub Status Code 0xC000006A
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC000006A') || (disposition = '0xc000006d' && result.code = '0xC000006A')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc000006d' AND context='0xC000006A' ) OR ( disposition='0xc000006d' AND result.code='0xC000006A' ) ) AND ( NOT(user.dst ends '$') ) |
Logon with Disabled Account - Status Code 0xc000006E Sub Status Code 0xc0000072
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006e' && context = '0xC0000072') || (disposition = '0xc000006e' && result.code = '0xC0000072')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc000006e' AND context='0xC0000072' ) OR ( disposition='0xc000006e' AND result.code='0xC0000072' ) ) AND ( NOT(user.dst ends '$') ) |
Logon with Expired Account - Status Code 0xC0000193 Sub Status Code 0xC0000193
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xC0000193' && context = '0xC0000193') || (disposition = '0xC0000193' && result.code = '0xC0000193')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xC0000193' AND context='0xC0000193' ) OR ( disposition='0xC0000193' AND result.code='0xC0000193' ) ) AND ( NOT(user.dst ends '$') ) |
User Must Change Password at Next Logon (Forced by Admin or Expired) - Status Code 0xc0000224 Sub Status Code 0x0
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc0000224' && context = '0x0') || (disposition = '0xc0000224' && result.code = '0x0')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc0000224' AND context='0x0' ) OR ( disposition='0xc0000224' AND result.code='0x0' ) ) AND NOT(user.dst ends '$') |
User Logon Outside Predefined Working Hours - Status Code 0xc000006E Sub Status Code 0xc000006F
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006e' && context = '0xc000006f') || (disposition = '0xc000006e' && result.code = '0xc000006f')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc000006e' AND context='0xc000006f' ) OR ( disposition='0xc000006e' AND result.code='0xc000006f' ) ) AND ( NOT(user.dst ends '$') ) |
Logon Attempt to Non Permitted System (Not on Approved Computer List) - Status Code 0xc000006E Sub Status Code 0xc0000070
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006e' && context = '0xC0000070') || (disposition = '0xc000006e' && result.code = '0xC0000070')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0xc000006e' AND context='0xC0000070' ) OR ( disposition='0xc000006e' AND result.code='0xC0000070' ) ) AND ( NOT(user.dst ends '$') ) |
User Logon Not Allowed on This Computer - Status Code 0XC000015B Sub Status Code 0x0
|
Query Syntax |
Query Sample |
|---|---|
| NWDB Traditional | medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0XC000015B' && context = '0x0') || (disposition = '0XC000015B' && result.code = '0x0')) && (not(user.dst ends '$')) |
| NWDB Simplified 11.6+ | medium=32 AND device.class='windows hosts' AND reference.id='4625' AND ( ( result.code='0XC000015B' AND context='0x0' ) OR ( disposition='0XC000015B' AND result.code='0x0' ) ) AND NOT(user.dst ends '$') |
Group Policy Required
Set "Audit Logon" to "Success and Failure". Note this should be the default for servers but not for workstations.
Reference
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
2 Comments
