SOC Event Lookup
Event ID 4625LogonP1

Windows Event ID 4625: An account failed to log on

Windows Security Event ID 4625 records an unsuccessful logon attempt and is a core source for investigating brute-force activity, password spraying, and account lockout reports.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when Windows authentication fails for an interactive, network, remote desktop, service, or other logon attempt. The Logon Type field identifies the authentication context.

Key Fields

Account For Which Logon Failed

The account name supplied to the authentication attempt. When the account does not exist, this may be attacker-controlled input rather than a valid directory account.

Failure Reason / Status / Sub Status

These fields explain why authentication failed. Common sub-status values include 0xC000006A for a bad password, 0xC0000064 for an unknown user, 0xC0000234 for a locked account, and 0xC0000072 for a disabled account.

Logon Type

The logon method. Type 2 is console, Type 3 is network access such as SMB, and Type 10 is RemoteInteractive (RDP). Type 10 deserves focused review during remote-access investigations.

Source Network Address / Source Port

The client address and port observed by the target host. These fields are essential for grouping attempts, identifying attack infrastructure, and distinguishing local from remote failures.

Common False Positives

  • Users can generate a small number of failures while entering an old or mistyped password.
  • A service account with an outdated stored credential can create periodic, highly regular failures after a password rotation.
  • Mapped drives, scheduled tasks, and applications may retry cached credentials automatically after a password change.

Related Events

MITRE ATT&CK Mapping

  • T1110.001Brute Force: Password Guessing
  • T1110.003Brute Force: Password Spraying
  • T1078Valid Accounts

Detection Notes

T1110.001/T1110.003 detection should separate Sub Status 0xC000006A (valid account, bad password) from 0xC0000064 (unknown account). More than 10 failures in a 5-minute window from one Source Network Address against many accounts is a starting spray threshold, while Logon Type 10 isolates RDP and Type 3 isolates SMB. Correlate a following 4624 success.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4625
| summarize FailedCount = count() by TargetAccount = Account, IpAddress, bin(TimeGenerated, 5m)
| where FailedCount > 10
| order by FailedCount desc
Splunk SPL
index=wineventlog EventCode=4625
| bucket _time span=5m
| stats count as FailedCount by _time, Account_Name, Source_Network_Address
| where FailedCount > 10
Sample Log
Account For Which Logon Failed: CORP\jsmith
Failure Reason: Unknown user name or bad password
Status: 0xC000006D
Sub Status: 0xC000006A
Logon Type: 3
Source Network Address: 10.x.x.x
Source Port: 51422

Source