top of page

Login Failure Anomaly Detection – Analyzing Microsoft Windows Event Log 4625 Event ID for Enhanced Security

In the ever-evolving landscape of cybersecurity, preemptive identification of anomalous activities is critical, particularly when addressing login failures. The 4625 Event ID proves instrumental as an essential indicator, warranting meticulous attention to specific anomalies. Here's an in-depth exploration of anomaly detection criteria within the Microsoft Windows Event Log associated with the 4625 Event ID:



Microsoft Windows Event Log 4625 Event ID Anomalies Detection Rules


1. Event ID 4625 with 5 or More Attempts and SubStatus 0x0000064 or StatusCode 0x000006A within 2 Minutes:


  • Criteria:

  • Event ID 4625.

  • 5 or more login attempts within a 2-minute window.

  • SubStatus of 0x0000064 or StatusCode of 0x000006A.

  • Valid username with an incorrect password.

  • Exclude users with names ending in '$'.

  • Significance:

  • Identification of recurrent failed login attempts within a brief timeframe, hinting at a potential brute-force attack.

2. Event ID 4625 with 20 or More Attempts, LogonType (3 or 10), Same Source Address, and Same Username within 5 Minutes:


  • Criteria:

  • Event ID 4625.

  • 20 or more login attempts within a 5-minute span.

  • LogonType of 3 (network-based) or 10 (remote service/terminal service).

  • Same source address and username.

  • Exclude users with names ending in '$'.

  • Significance:

  • Surveillance of numerous failed login attempts from an identical source and username, potentially indicative of a coordinated attack.

3. Event ID 4625 with 10 or More Attempts, Different Usernames, StatusCode 0x0000064, Same Source Address within 5 Minutes:


  • Criteria:

  • Event ID 4625.

  • 10 or more login attempts within a 5-minute window.

  • Different usernames.

  • StatusCode of 0x0000064 (indicating a non-existent username).

  • Same source address.

  • Significance:

  • Identification of multiple failed login attempts with varied usernames but the same source address, suggesting a systematic exploration of potential usernames.

By vigilantly monitoring these specific anomalies, security teams can strengthen their defenses against potential threats, mitigating risks associated with unauthorized access attempts. Regularly excluding specific user patterns ensures a focused and precise anomaly detection strategy. Remember, a proactive and watchful stance towards anomaly detection is crucial for maintaining a secure digital environment.

47 views0 comments

Comments


bottom of page