Excessive Failed Logins Monitoring

Purpose

The solution monitors the domain controller for excessive logon failures within one hour, indicating a possible brute force attack.

Associated Content

Custom Fields

Content	Level	Function
Is Primary Domain Controller	Endpoint	Used to determine whether a Domain Controller is an infrastructure master or not.

Groups

Content	Type	Function
Domain Controllers	Dynamic Group	Stores the Domain Controllers in a single place.
Infrastructure Master	Dynamic Group	Stores all the available infrastructure masters in a single place.

Tasks/Scripts

Content	Type	Function
Validate Primary Domain Controller	Task	Validate whether a computer is an infrastructure master or not and update the custom field Is Primary Domain Controller.

Monitor

Content	Type	Function
Excessive Failed Logins Attempt	Monitor	Check the computer for security event log event ID 4625 where the count of occurrences is greater than 10 in the last 60 minutes.

Implementation

1. Create the required Custom Fields (if not exist) using the documentation below:

   • Is Primary Domain Controller

2. Create the following Dynamic Groups (if not exist):

   • Domain Controllers
   • Infrastructure Master

3. Create and schedule the following Task(s) (if not exist):

   • Validate Primary Domain Controller

4. Create and enable the following monitor:

   • Excessive Failed Logins Attempt

Troubleshooting

General Troubleshooting Steps:

1. Identify the Account Type:

• Domain Account: Check in Active Directory Users and Computers (ADUC).

• Local Account: Use Computer Management > Local Users and Groups.

• Service Account: Check services or scheduled tasks using the account.

• Unknown Account: Investigate for potential brute-force or enumeration attacks.

2. Review Event Logs:

• Look for Event ID 4625 in the Security log.

3. Pay attention to:

• Status/SubStatus codes

• Logon Type

• Source IP/Workstation

• Target Account Name

4. Error Code Specific Troubleshooting:

Error Code	Meaning	Action Steps
0xC000006A	Bad password	Check if the password was recently changed. Reset the password if needed. Investigate repeated attempts (possible brute-force or excessive logon attempts).
0xC000006D	Bad username or auth info	Verify username. Check for typos or outdated credentials. Investigate source of repeated failures.
0xC0000064	Bad or misspelled username	Confirm the account exists. Investigate for enumeration attempts.
0xC000005E	No logon servers available	Check domain controller availability. Ensure network connectivity. Restart Netlogon service.
0xC000006F	Logon outside authorized hours	Review account restrictions in AD. Adjust allowed logon hours if needed.
0xC0000070	Unauthorized workstation	Check workstation restrictions in AD. Update allowed workstations.
0xC0000072	Account disabled	Enable the account in AD. Investigate why it was disabled.
0xC000015B	Logon type not granted	Check Group Policy or Local Security Policy. Grant appropriate logon rights.
0xC0000192	Netlogon service not started	Start the Netlogon service. Set it to automatic.
0xC0000193	Expired account	Extend or renew the account expiration date.
0xC0000413	Auth firewall restriction	Review firewall or security policies. Allow the account to authenticate.

5. Service Account Specific Checks:

• Find Services Using the Account.

• Run: Get-WmiObject win32_service | Where-Object { $_.StartName -like "*accountname*" }
  Or check manually in Services.msc.

6. Update Password:

• Change the password in AD.

• Update it in all services, scheduled tasks, and applications using it.

7. If the Account is Unknown or Suspicious

• Investigate Source IP: Use firewall logs or SIEM tools.
• Check for Patterns: Repeated failures from the same IP or targeting multiple accounts.
• Block IP or Account: If malicious, take immediate action.
• Enable Account Lockout Policies: To prevent brute-force attacks or excessive logon attempts.