{"id":739,"date":"2020-09-28T16:57:06","date_gmt":"2020-09-28T16:57:06","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=739"},"modified":"2024-04-01T13:48:52","modified_gmt":"2024-04-01T05:48:52","slug":"event-id-4625_4740","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/09\/28\/event-id-4625_4740\/","title":{"rendered":"Event ID 4625 &#038; 4740"},"content":{"rendered":"<p>Today we are going to discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime,<a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=4625\"> Event ID 4625<\/a> \u53ca <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=4740\">Event ID 4740<\/a> in Windows domain environment. In fact, this is one of most important topics when we engage in designing SIEM solutions.<\/p>\n\n\n<style>.kadence-column739_512dd5-3f > .kt-inside-inner-col{display:flex;}.kadence-column739_512dd5-3f > .kt-inside-inner-col,.kadence-column739_512dd5-3f > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column739_512dd5-3f > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column739_512dd5-3f > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column739_512dd5-3f > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column739_512dd5-3f > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column739_512dd5-3f > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column739_512dd5-3f > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column739_512dd5-3f{position:relative;}@media all and (max-width: 1024px){.kadence-column739_512dd5-3f > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column739_512dd5-3f > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column739_512dd5-3f\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-lg, 2rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id739_26ae00-95 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-account-lockout-policy\">Account Lockout Policy<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/GPO_Account_Lockout_Policy.png\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"95\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/GPO_Account_Lockout_Policy.png\" alt=\"\" class=\"wp-image-741\" style=\"width:542px;height:95px\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/GPO_Account_Lockout_Policy.png 542w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/GPO_Account_Lockout_Policy-300x53.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/a><\/figure>\n\n\n\n<p>First of all, we start with the Account Lockout Policy in GPO. The above Policy enforces account lockout (by setting LDAP attribute <strong>lockoutTime<\/strong> to CurrentTime) of a user when ALL the following conditions were met:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The value of <strong>badPwdCount<\/strong> is equal to <strong>LockoutThreshold<\/strong> (Account lockout threshold). Actually, it is the ONLY rule!<\/li>\n\n\n\n<li><strong>Continuous<\/strong> failure authentication occurred 3 times (<strong>LockoutThreshold<\/strong>) within 30 minutes (<strong>ObservationWindow<\/strong>).<\/li>\n\n\n\n<li>No successful authentication between the failure authentication because successful authentication will reset badPwdCount to 0.<\/li>\n\n\n\n<li>The password that contributes to failure authentication is <strong>NOT<\/strong> N-1 Password (Previous Password) or N-2 Password (password before previous password) if the password history is equal or greater than 2. It is because N-1 Password and N-2 Password will not increment badPwdCount.<\/li>\n<\/ul>\n\n\n\n<p>P.S. In our observation, N-1 password will never trigger badPwdCount to increment. However, in some case, when you use N-2 Password followed by a wrong password, the badPwdCount may increased by 2.<\/p>\n\n\n\n<p>After 30 minutes (CurrentTime &#8211;&nbsp;<a href=\"https:\/\/ldapwiki.com\/wiki\/Lockouttime\">lockoutTime<\/a> exceeds the <strong>LockoutDuration<\/strong>), PDC emulator will automatically unlock the user account and reset badPwdCount. The value of lockoutTime will reset to 0 ONLY when a successful authentication occurred, and lockoutTime will not change even failure authentication keep occurring during the lockout period. The value of lockoutTime will stay forever if no successful authentication, even the account is actually unlocked. The only exception is built-in local administrator\/domain administrator with <strong>RID 500<\/strong> do not follow this rule.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-event-id-4740\">Event ID 4740<\/h2>\n\n\n\n<p>So, why do I still see Event ID 4740 (Account Lockout) of a built-in administrator\/built-in domain administrator? The reason is built-in administrator is actually locked out, but it is unlocked immediately when a correct password is used to authenticate. In other words, account lockout duration does not affect the built-in administrator\/built-in domain administrator. Therefore, we need to carefully consider monitoring password attacks against built-in administrators with a different threshold.<\/p>\n\n\n\n<p>In addition, Event ID 4740 always logged on the domain controller with <strong>PDC emulator role<\/strong>. However, sometimes it also logs on other domain controllers as well as PDC emulator. The PDC emulator is actually the final owner of all domain passwords, and it contains the latest password information and account lockout status. Whenever a failure authentication occurs, other domain controllers will consult PDC emulator for the latest password and account lockout status. In this manner, the PDC emulator always knows failure authentication occurred. Microsoft also wrote a test result for other scenario such as PDC emulator is not available <a href=\"https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/32490.active-directory-bad-passwords-and-account-lockout.aspx\">\u7db2\u5740<\/a>. If you have an SIEM collecting security log of all domain controller, it is possible to locate PDC emulator role by counting the total number of Event ID 4740 from each domain controller.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-event-id-4625-4771-amp-4776\">Event ID 4625, 4771 &amp; 4776<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-1024x554.png\" alt=\"Event Code 4625\" class=\"wp-image-1121\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-1024x554.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-300x162.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-768x415.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-1536x830.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-600x324.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>In a Windows domain environment, if a user inputs the wrong password to authenticate, you will see an Event ID 4625 with Status 0xc000006d and Sub-Status 0xc000006a. Moreover, you will always see Event ID 4771 (Kerberos) with Error code 0x18 OR Event ID 4776 with Error code C000006A accompanied with Event ID 4625. There is a great article here explaining the reason and where the Event ID appears. What we want to point out is that we may see different combinations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Only one Event ID 4625 with multiple Event ID 4776<\/li>\n\n\n\n<li>Only Event ID 4776 without Event ID 4625<\/li>\n\n\n\n<li>Workstation name is missing in Event ID 4776<\/li>\n<\/ul>\n\n\n\n<p>For the first scenario, it is likely due to the Windows machine trying to send out ALL the known credentials belonging to the current user before prompting the user. An example for the second scenario is that the user authenticated via a Linux-based squid proxy using NTLM authentication. Event ID 4625 is supposed to be logged on the machine facing the user, which is a squid proxy in this case. Of course, the squid proxy will not log Event ID 4625. It brings out an important rule for security monitoring. Event ID 4776 seems to be low value and does not contain much information, but we cannot remove it from our picture.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">\u7d50\u8ad6 <\/h2>\n\n\n\n<p>From the above information, we may see more than 3 Event ID 4625 within 30 minutes without Event ID 4740. It is most likely due to user enter previous password. So, can we still monitoring if the account lockout policy is effective or the user applied the desired policy ? In general, we use 2 approach to handle this situation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assume the user hits 3 previous password and he\/she will remember he\/she changed the password. In other words, increase the threshold.<\/li>\n\n\n\n<li>If you have a domain account, check the Account Lockout Policy using PowerShell script. We have 2 sample scripts available: <a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/check_GPO_password_policy.ps1\">check_GPO_password_policy.ps1 <\/a> \u53ca <a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/GpoInheritanceBlocked.ps1\">GpoInheritanceBlocked.ps1<\/a>. To use check_GPO_password_policy.ps1, just change the dest_nt_domain variable. GpoInheritanceBlocked.ps1 can be used to audit which GPO block inheritance.<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Today we are going to discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment. In fact, this is one of most important topics when we engage in designing SIEM solutions. Account Lockout Policy First of all, we start with the Account Lockout Policy in&#8230;<\/p>","protected":false},"author":2,"featured_media":1121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,43,23],"tags":[67,68,66,21,64,65,69,70],"class_list":["post-739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-incident-response","category-splunk","tag-account-lockout-policy","tag-badpasswordtime","tag-badpwdcount","tag-blue-team","tag-event-id-4625","tag-event-id-4740","tag-event-id-4771","tag-event-id-4776"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Event ID 4625 &amp; 4740 - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/09\/28\/event-id-4625_4740\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Event ID 4625 &amp; 4740\" \/>\n<meta property=\"og:description\" content=\"Today we are going to discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/09\/28\/event-id-4625_4740\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-28T16:57:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:48:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1038\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"Event ID 4625 &#038; 4740\",\"datePublished\":\"2020-09-28T16:57:06+00:00\",\"dateModified\":\"2024-04-01T05:48:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/\"},\"wordCount\":817,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/EventCode4625.png\",\"keywords\":[\"Account Lockout Policy\",\"badPasswordTime\",\"badPwdCount\",\"Blue Team\",\"Event ID 4625\",\"Event ID 4740\",\"Event ID 4771\",\"Event ID 4776\"],\"articleSection\":[\"Blue Team\",\"Incident Response\",\"Splunk\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/\",\"name\":\"Event ID 4625 & 4740 - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/EventCode4625.png\",\"datePublished\":\"2020-09-28T16:57:06+00:00\",\"dateModified\":\"2024-04-01T05:48:52+00:00\",\"description\":\"discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/EventCode4625.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/EventCode4625.png\",\"width\":1920,\"height\":1038,\"caption\":\"Event Code 4625\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blue Team\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/blue-team\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Event ID 4625 &#038; 4740\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/09\\\/28\\\/event-id-4625_4740\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Event ID 4625 & 4740 - CyberSecThreat","description":"discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/09\/28\/event-id-4625_4740\/","og_locale":"zh_TW","og_type":"article","og_title":"Event ID 4625 & 4740","og_description":"Today we are going to discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/09\/28\/event-id-4625_4740\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-09-28T16:57:06+00:00","article_modified_time":"2024-04-01T05:48:52+00:00","og_image":[{"width":1920,"height":1038,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"5 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"Event ID 4625 &#038; 4740","datePublished":"2020-09-28T16:57:06+00:00","dateModified":"2024-04-01T05:48:52+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/"},"wordCount":817,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png","keywords":["Account Lockout Policy","badPasswordTime","badPwdCount","Blue Team","Event ID 4625","Event ID 4740","Event ID 4771","Event ID 4776"],"articleSection":["Blue Team","Incident Response","Splunk"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/","url":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/","name":"Event ID 4625 & 4740 - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png","datePublished":"2020-09-28T16:57:06+00:00","dateModified":"2024-04-01T05:48:52+00:00","description":"discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625.png","width":1920,"height":1038,"caption":"Event Code 4625"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blue Team","item":"https:\/\/cybersecthreat.com\/category\/blue-team\/"},{"@type":"ListItem","position":2,"name":"Event ID 4625 &#038; 4740"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/09\/28\/event-id-4625_4740\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":43,"label":"Incident Response"},{"value":23,"label":"Splunk"}],"post_tag":[{"value":67,"label":"Account Lockout Policy"},{"value":68,"label":"badPasswordTime"},{"value":66,"label":"badPwdCount"},{"value":21,"label":"Blue Team"},{"value":64,"label":"Event ID 4625"},{"value":65,"label":"Event ID 4740"},{"value":69,"label":"Event ID 4771"},{"value":70,"label":"Event ID 4776"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/09\/EventCode4625-1024x554.png",1024,554,true],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":1,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":43,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":43,"taxonomy":"category","description":"","parent":0,"count":5,"filter":"raw","cat_ID":43,"category_count":5,"category_description":"","cat_name":"Incident Response","category_nicename":"incident-response","category_parent":0},{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0}],"tag_info":[{"term_id":67,"name":"Account Lockout Policy","slug":"account-lockout-policy","term_group":0,"term_taxonomy_id":67,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":68,"name":"badPasswordTime","slug":"badpasswordtime","term_group":0,"term_taxonomy_id":68,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":66,"name":"badPwdCount","slug":"badpwdcount","term_group":0,"term_taxonomy_id":66,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":64,"name":"Event ID 4625","slug":"event-id-4625","term_group":0,"term_taxonomy_id":64,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":65,"name":"Event ID 4740","slug":"event-id-4740","term_group":0,"term_taxonomy_id":65,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":69,"name":"Event ID 4771","slug":"event-id-4771","term_group":0,"term_taxonomy_id":69,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":70,"name":"Event ID 4776","slug":"event-id-4776","term_group":0,"term_taxonomy_id":70,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=739"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/739\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/1121"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}