Windows Critical Security-Related Events 4625 and 4771

Jram February 06, 2025

Windows Event IDs 4625 and 4771 are critical security-related events that indicate failed authentication attempts on a Windows system. These events are logged in the Windows Security log and are essential for monitoring and investigating potential security breaches, brute-force attacks, or misconfigured systems. Below is a detailed breakdown of these event IDs:



Event ID 4625: An account failed to log on
This event is logged when a user or system attempts to log on to a Windows machine but fails due to invalid credentials or other authentication issues.

Key Details in Event 4625:
1. Subject: Information about the account or process that attempted the logon.

  • Security ID (SID): The SID of the account that initiated the logon attempt.
  • Account Name: The username of the account that attempted to log on.
  • Account Domain: The domain of the account.

2. Logon Type: Indicates the method used for the logon attempt. Common logon types include:

  • 2: Interactive logon (local logon).
  • 3: Network logon (e.g., accessing a shared resource).
  • 10: Remote interactive logon (e.g., via RDP).

3. Account That Failed to Log On:

  • Security ID (SID): The SID of the account that failed to authenticate.
  • Account Name: The username that failed to log on.
  • Account Domain: The domain of the failed account.

4. Failure Information:

  • Failure Reason: The reason for the failure (e.g., "Unknown user name or bad password").
  • Status: The NTSTATUS code indicating the failure reason (e.g., `0xC0000064` for "User name does not exist" or `0xC000006A` for "Incorrect password").
  • Sub Status: Additional details about the failure.
5. Process Information:
  • Caller Process Name: The process that initiated the logon attempt (e.g., `lsass.exe`).
  • Caller Process ID: The PID of the process.
6. Network Information (if applicable):
  • Workstation Name: The name of the client machine attempting to log on.
  • Source Network Address: The IP address of the client machine.
  • Source Port: The port used for the connection.

Event ID 4771: Kerberos pre-authentication failed
This event is logged when a Kerberos authentication attempt fails during the pre-authentication phase. Kerberos is a network authentication protocol used in Active Directory environments.

Key Details in Event 4771:
  1. Account Information:
    • Account Name: The username that failed to authenticate.
    • Account Domain: The domain of the failed account.
2. Service Information:
  • Service Name: The Kerberos service that was contacted (e.g., `krbtgt` for the Key Distribution Center).
  • Service ID: The SID of the service.
3. Failure Information:
  • Failure Code: The Kerberos error code indicating the reason for the failure (e.g., `0x12` for "Client not found" or `0x18` for "Pre-authentication failed").
  • Pre-Authentication Type: The type of pre-authentication used (e.g., "PA-ENC-TIMESTAMP").
4. Client Information:
  • Client Address: The IP address of the client attempting to authenticate.
  • Client Port: The port used by the client.

5. Additional Information:
  • Ticket Options: The Kerberos ticket options requested.
  • Ticket Encryption Type: The encryption type used for the ticket.
Common Causes of These Events
  1. Brute-Force Attacks: Attackers may attempt to guess passwords by repeatedly trying different combinations.
  2. Misconfigured Applications: Applications or services using incorrect credentials can trigger these events.
  3. Expired or Locked Accounts: Accounts with expired passwords or locked statuses will fail authentication. 
  4. User Errors: Users may mistype their usernames or passwords.
  5. Kerberos Issues: Misconfigured Kerberos policies or clock skew between systems can cause pre-authentication failures.


How to Investigate and Respond
  1. Correlate Events:
    • Look for patterns in the logs, such as multiple failed attempts from the same IP address or account.
    • Check if the failed attempts are targeting a specific account or service.
  2. Identify the Source:
    • Use the Source Network Address (Event 4625) or Client Address (Event 4771) to identify the origin of the failed attempts.
    • Determine if the source is internal or external.
  3. Check Account Status:
    • Verify if the account is locked, expired, or disabled.
    • Ensure the account has the correct permissions and is not compromised.
  4. Review Kerberos Configuration:
    • For Event 4771, ensure that the system clocks are synchronized across the domain.
    • Verify that Kerberos policies (e.g., ticket lifetimes) are correctly configured.
  5. Mitigate Attacks:
    • If brute-force attacks are detected, block the offending IP address using a firewall or intrusion detection system (IDS).
    • Implement account lockout policies to prevent repeated guessing attempts.
  6. Monitor and Alert:
    • Set up alerts for multiple failed authentication attempts within a short time frame.
    • Use SIEM tools to aggregate and analyze these events across the environment.
Best Practices for Prevention
  • Use Strong Passwords: Enforce complex passwords and regular password changes.
  • Enable Multi-Factor Authentication (MFA): Add an extra layer of security to prevent unauthorized access.
  • Implement Account Lockout Policies: Lock accounts after a certain number of failed attempts.
  • Regularly Review Logs: Monitor security logs for suspicious activity.
  • Patch and Update Systems: Ensure all systems are up to date to prevent exploitation of known vulnerabilities.
By understanding and analyzing Event IDs 4625 and 4771, administrators can effectively detect and respond to potential security threats, ensuring the integrity and security of their Windows environments.

Tags
Jram

Posted by Jram