Excessive Logon Attempts
Purpose
The solution monitors the domain controller for excessive logon failures within one hour, indicating a possible brute force attack. It summarizes failed logon attempts (Event ID 4625) from the Windows Security event log within a specified time window on a given machine and based on it, if it meets the criteria then it creates a ticket.
It simply checks the computer for security event log event ID 4625 where the count of occurrences is greater than 10 in the last 60 minutes. This is default setting and can be changed using the Threshold and Minutes parameters.
Associated Content
| Name | Type | Function |
|---|---|---|
| Automation - Excessive Logon Attempts | Automation | Detects and summarizes failed logon attempts (Event ID 4625) from the Windows Security event log within a specified time window. |
| Condition - Excessive Logon Attempts | Conditions | The condition runs the automation once per hour and generates a ticket with the script’s results if any monitored event log is detected. |
| CW Manage - Ticket Template - Excessive Logon Attempts | CW Manage Ticket Template | This ticket template is used to manage the CW Manage ticket generation settings for the Excessive Logon Attempts Alert Condition |
Implementation
- Create the Automation - Excessive Logon Attempts using the implementation instruction provided in the document.
- Create the Condition - Excessive Logon Attempts using the implementation instruction provided in the document.
- Create the CW Manage - Ticket Template - Excessive Logon Attempts using the implementation instruction provided in the document.
Troubleshooting
General Troubleshooting Steps:
1. Identify the Account Type:
-
Domain Account:Check in Active Directory Users and Computers (ADUC). -
Local Account:Use Computer Management > Local Users and Groups. -
Service Account:Check services or scheduled tasks using the account. -
Unknown Account:Investigate for potential brute-force or enumeration attacks.
2. Review Event Logs:
- Look for Event ID
4625in the Security log.
3. Pay attention to:
-
Status/SubStatus codes
-
Logon Type
-
Source IP/Workstation
-
Target Account Name
4. Error Code Specific Troubleshooting:
| Error Code | Meaning | Action Steps |
|---|---|---|
| 0xC000006A | Bad password |
|
| 0xC000006D | Bad username or auth info |
|
| 0xC0000064 | Bad or misspelled username |
|
| 0xC000005E | No logon servers available |
|
| 0xC000006F | Logon outside authorized hours |
|
| 0xC0000070 | Unauthorized workstation |
|
| 0xC0000072 | Account disabled |
|
| 0xC000015B | Logon type not granted |
|
| 0xC0000192 | Netlogon service not started |
|
| 0xC0000193 | Expired account |
|
| 0xC0000413 | Auth firewall restriction |
|
5. Service Account Specific Checks:
-
Find Services Using the Account.
-
Run:
Get-WmiObject win32_service | Where-Object { $_.StartName -like "*accountname*" }
Or check manually in Services.msc.
6. Update Password:
-
Change the password in AD.
-
Update it in all services, scheduled tasks, and applications using it.
7. If the Account is Unknown or Suspicious
Investigate Source IP:Use firewall logs or SIEM tools.Check for Patterns:Repeated failures from the same IP or targeting multiple accounts.Block IP or Account:If malicious, take immediate action.Enable Account Lockout Policies:To prevent brute-force attacks or excessive logon attempts.