Questions about Failed login events 4625

Question

Hi Everybody,

I have few questions about failed login events.

last month, Our few server got affected by ransomware. We have applied Failed login monitoring. We are getting lots of alerts with event id 4025.

> An account failed to log on.Subject:

> Security ID:S-1-0-0

> Account Name:-

> Account Domain:-

> Logon ID:0x0

> Logon Type:3

> 

> Account For Which Logon Failed:

> Security ID:S-1-0-0

> Account Name:administrator

> Account Domain:cwau.local

> 

> Failure Information:

> Failure Reason:Unknown user name or bad password.

> Status:0xC000006D

> Sub Status:0xC000006A

> 

> Process Information:

> Caller Process ID:0x0

> Caller Process Name:-

> Network Information:

> Workstation Name:Win10

> Source Network Address:10.0.10.10

> Source Port:64244

> Detailed Authentication Information:

> Logon Process:NtLmSsp 

> Authentication Package:NTLM

> Transited Services:-Package Name (NTLM only):-Key Length:0

> This event is generated when a logon request fails. It is generated on the computer where access was attempted.The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The Logon Type field indicates the kind of logon that was requested. The

This is the example event ID. I have read documentation about event ID 4025. This event log of useraccount 'Administrator' and trying to access resource from Win10 workstations. Still I have few questions.

1. From where I can start troubleshooting ?
2. Is there way to know where this user account's credentials are saved with PowerShell or CMD.
3. Do I need to login with account name for which login failed ? or Can I troubleshoot from different user account ?

Thanks in advance.

Answer 1

Hi,

1) From where I can start troubleshooting ?

You can start from Source Network Address:10.0.10.10 where the user try to login with bad password.
It seems ntlm authentication failed, it can be bad password or unsupported protocol ( when the ntlmv1 is didabled and the user try to use it).

2) Is there way to know where this user account's credentials are saved with PowerShell or CMD.

Check if there is any schedule task , scripts, service ...running with account on Source Network Address:10.0.10.10

3) Do I need to login with account name for which login failed ? or Can I troubleshoot from different user account ?

If it's not locked you can use it , or you can troubleshoot using another account.

---

Please don't forget to mark this helpful reply as answer if it help you to fix your issue

Answer 2

Something here may help.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Event Description:

This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.

It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.

This event generates on domain controllers, member servers, and workstations.

reference：https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Hope this information can help you
Best wishes
Vicky