Windows Authentication Failure Analysis

AuthenticationAttacks Windows Security Authentication Failure

What This Means

Comprehensive guide to analyzing Windows authentication failures across NTLM, Kerberos, and local logon. Detect attacks and troubleshoot legitimate access issues with structured investigation.

Example Log

An account failed to log on.
Logon Type: 2
Account Name: jsmith
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B

Indicators of Suspicious Activity

High volume of authentication failures across multiple protocols simultaneously
Failures with Status 0xC000015B (logon type not granted) indicating policy misconfiguration
Mix of NTLM (4776) and Kerberos (4771) failures from the same source
Authentication failures for disabled or expired accounts
Failures against accounts with recently changed passwords
Pattern of failures across multiple domain controllers

How to Investigate

Categorize failures by protocol (NTLM, Kerberos, local) and Logon Type
Identify the most targeted accounts and determine their sensitivity level
Check the Status and Sub Status codes for the specific failure reason
Determine if failures are internal (misconfiguration) or external (attack)
Review Group Policy logon right assignments for affected accounts
Correlate with successful logons to find the failure-to-success ratio

Recommended Mitigations

Implement comprehensive authentication monitoring covering all Windows auth protocols
Configure appropriate account lockout policies for your environment
Deploy Microsoft Defender for Identity for correlated authentication analytics
Ensure consistent password policies across the domain
Regularly audit logon right assignments in Group Policy
Implement tiered access model to limit credential exposure

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 7 + 2?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What are the main Windows authentication protocols? ▼

Windows uses NTLM (legacy, logged as Event 4776), Kerberos (Active Directory, logged as Events 4768/4769/4771), and local SAM authentication. Each protocol has different failure events and investigation approaches.

How do I determine the root cause of authentication failures? ▼

Check the Status and Sub Status codes in Event 4625. 0xC000006D = bad username/password, 0xC000006E = account restriction, 0xC0000234 = account locked, 0xC0000072 = account disabled.

Should I alert on all authentication failures? ▼

No — some failures are normal (typos, expired passwords). Alert on patterns: more than 10 failures per account per hour, failures against privileged accounts, and failures from unexpected IPs.