Event ID: 4625

  • An Account Failed to logon.

  • Logon Types:

    Suspicious Failed Logins.

  • The event is observed more than 5 times.

    • With sub status 0xC0000064 or 0xC000006A

    • And the account name does not end with $ (Which shows it's a computer account.)

  • More than 20 events with account type 3 or 10. and traffic coming from the same network address and name does not have $.

    • Traffic coming from the same network address.

    • Account name does not have $.

PreviousEvent ID: 4673

Last updated