How to Diagnose and Prevent NTLM Brute Force Attacks (Event ID 4625 Logon Type 3) in Windows Server 2012


2 views

The Event ID 4625 with Logon Type 3 represents failed NTLM authentication attempts. In your case, we see repeated failures for account "aaman" originating from workstation "test2". The NULL SID and missing network information suggest either local system processes or intentionally obfuscated attack attempts.

The critical markers in your event data reveal:

  • Authentication Package: NTLM (vulnerable to brute force)
  • Logon Process: NtLmSsp
  • Sub Status: 0xC0000064 (STATUS_NO_SUCH_USER)
  • Missing IP address (could indicate local process or log clearing)

Method 1: PowerShell Log Analysis


# Extract 4625 events with Logon Type 3 from last 24 hours
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625
    StartTime=(Get-Date).AddHours(-24)
} | Where-Object {$_.Properties[8].Value -eq 3}

# Group by source workstation
$Events | Group-Object {$_.Properties[11].Value} | Sort-Object Count -Descending

Method 2: Enable Detailed NTLM Logging


# Set NTLM audit level to capture detailed info
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "AuditReceivingNTLMTraffic" -Value 2

# Restart the server for changes to take effect
Restart-Computer -Force

1. Account Lockout Policy:


# Check current lockout threshold
secedit /export /cfg secpolicy.inf
(Get-Content secpolicy.inf | Select-String "LockoutBadCount") -replace ".*="

2. NTLM Restriction:


# Disable NTLMv1 (registry method)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NtlmMinClientSec" -Type DWORD -Value 0x20080000

Create a real-time monitoring script:


# PowerShell real-time event monitor
$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4625) and 
      (EventData[Data[@Name='LogonType']='3'])]]</Select>
  </Query>
</QueryList>
"@

Register-WmiEvent -Query $query -Action {
    $event = $EventArgs.NewEvent
    $timestamp = $event.TimeCreated
    $workstation = $event.Properties[11].Value
    $targetUser = $event.Properties[5].Value
    Write-Warning "[$timestamp] Failed login attempt for $targetUser from $workstation"
    # Add your custom alert logic here
}

1. Check scheduled tasks or services running on "test2"
2. Verify if "aaman" is a legitimate service account
3. Examine firewall logs for corresponding connection attempts
4. Consider deploying Microsoft ATA or similar solution for advanced threat detection

When you're seeing repeated 4625 events with Logon Type 3 and NTLM authentication failures, the first step is to analyze the pattern. In this case, we see:

TargetUserName: aaman
WorkstationName: test2
Failure Reason: Unknown user name or bad password
Status: 0xC000006D (STATUS_LOGON_FAILURE)
Sub Status: 0xC0000064 (STATUS_NO_SUCH_USER)

The NULL SID in both Subject and Target fields suggests the attempts aren't coming from domain-authenticated sources. Key indicators:

  • Missing Source Network Address makes tracking harder
  • Workstation name 'test2' suggests either a testing system or spoofed name
  • NTLM authentication (rather than Kerberos) is more vulnerable to brute force

Create a PowerShell script to aggregate events:

# PowerShell script to analyze 4625 events
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625
    StartTime=(Get-Date).AddDays(-1)
} | Where-Object {$_.Properties[10].Value -eq 3}

$AttackPatterns = $Events | Group-Object -Property @{
    Expression = {
        $_.Properties[5].Value + "|" + # TargetUserName
        $_.Properties[11].Value # WorkstationName
    }
} | Sort-Object -Property Count -Descending

$AttackPatterns | Format-Table Count,Name -AutoSize

Short-term solution: Block NTLM authentication from untrusted sources

# Group Policy setting to restrict NTLM
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictNTLMInDomain" -Value 1

Long-term solution: Implement account lockout policies and monitoring

# Create custom event viewer filter for real-time alerts
$XMLQuery = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[EventID=4625]]
      and
      *[EventData[Data[@Name='LogonType']='3']]
    </Select>
  </Query>
</QueryList>
"@

$Subscription = New-WinEvent -SubscriptionName "NTLM Attack Monitor" -Query $XMLQuery -Action {
    # Add your alert action here (email, log, etc)
}

For deeper investigation, enable Netlogon debugging:

# Enable verbose Netlogon logging
nltest /dbflag:0x2080FFFF
# Logs will be written to %windir%\debug\netlogon.log

Then parse the logs for authentication attempts:

$NetlogonPath = "$env:windir\debug\netlogon.log"
if (Test-Path $NetlogonPath) {
    Select-String -Path $NetlogonPath -Pattern "aaman" -Context 2 | 
    Format-Table -AutoSize
}