Data Source: Windows Event Log Security 4625

Date: 2025-07-10

ID: 365a02c2-7d18-4baf-b76e-d90c20bbe6ed

Author: Patrick Bareiss, Splunk

Description

Logs an event when an account fails to log on to a system.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Password Spray Attempts	Password Spraying	TTP
Detect Password Spray Attack Behavior From Source	Password Spraying	TTP
Detect Password Spray Attack Behavior On User	Password Spraying	TTP
Windows Local Administrator Credential Stuffing	Credential Stuffing	TTP
Windows Multiple Users Failed To Authenticate From Process	Password Spraying	TTP
Windows Multiple Users Remotely Failed To Authenticate From Host	Password Spraying	TTP
Windows Unusual Count Of Users Failed To Authenticate From Process	Password Spraying	Anomaly
Windows Unusual Count Of Users Remotely Failed To Auth From Host	Password Spraying	Anomaly

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">AuthenticationPackageName</span>
  
  <span class="pill kill-chain">Caller_Domain</span>
  
  <span class="pill kill-chain">Caller_User_Name</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">FailureReason</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">IpAddress</span>
  
  <span class="pill kill-chain">IpPort</span>
  
  <span class="pill kill-chain">KeyLength</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">LmPackageName</span>
  
  <span class="pill kill-chain">LogonProcessName</span>
  
  <span class="pill kill-chain">LogonType</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">Logon_Type</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">ProcessName</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">Source_Port</span>
  
  <span class="pill kill-chain">Source_Workstation</span>
  
  <span class="pill kill-chain">Status</span>
  
  <span class="pill kill-chain">SubStatus</span>
  
  <span class="pill kill-chain">Sub_Status</span>
  
  <span class="pill kill-chain">SubjectDomainName</span>
  
  <span class="pill kill-chain">SubjectLogonId</span>
  
  <span class="pill kill-chain">SubjectUserName</span>
  
  <span class="pill kill-chain">SubjectUserSid</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetDomainName</span>
  
  <span class="pill kill-chain">TargetUserName</span>
  
  <span class="pill kill-chain">TargetUserSid</span>
  
  <span class="pill kill-chain">Target_Domain</span>
  
  <span class="pill kill-chain">Target_User_Name</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TransmittedServices</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">WorkstationName</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_nt_domain</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">process</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">ta_windows_status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_group</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-03-22T20:25:15.594676400Z'/><EventRecordID>367348</EventRecordID><Correlation ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution ProcessID='588' ThreadID='3564'/><Channel>Security</Channel><Computer>ar-win-8.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>builtin</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.30</Data><Data Name='IpPort'>59450</Data></EventData></Event>

Required Output Fields

action
app
authentication_method
dest
signature
signature_id
src
user

Source: GitHub | Version: 3

Data Source: Windows Event Log Security 4625

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields