Windows Admin Login Alert Script

Problem Overview

Unauthorized or unexpected administrator logins can be a major security risk, potentially indicating compromised credentials or suspicious activity. Monitoring these logins in real-time allows IT professionals and MSPs to detect potential security breaches, ensure compliance with security policies, and proactively address unauthorized access attempts before they escalate.

Description

This script scans Windows Event Logs for successful administrator logins (Event ID 4624) within the past hour, specifically filtering for interactive (local console) and remote desktop (RDP) logins. It excludes known system accounts to reduce false positives and outputs a list of detected logins. When paired with a script-based monitor in Level, this script can trigger real-time alerts whenever an admin login occurs, helping IT teams maintain strict oversight of privileged account usage.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7# Level Library
8# https://level.io/library/script-windows-admin-login-alert
9#>
10
11# Define known system accounts to ignore
12$SystemAccounts = @("DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1", "UMFD-2", "UMFD-3", "SYSTEM")
13
14# Get recent successful logins (Event ID 4624) and filter for interactive/RDP logins
15$Logins = Get-WinEvent -FilterHashtable @{
16    LogName = 'Security'
17    ID = 4624
18    StartTime = (Get-Date).AddHours(-1)  # Filter for the last 1 hours
19} | Where-Object {
20    # Extract logon type
21    $LogonType = $_.Properties[8].Value
22    # Only check interactive (2) and remote desktop (10) logins
23    $LogonType -eq 2 -or $LogonType -eq 10
24} | ForEach-Object {
25    $_.Properties[5].Value  # Extract the account name
26} | Where-Object { $_ -notin $SystemAccounts } | Select-Object -Unique
27
28# Output detected logins
29Write-Host "Detected Admin Logins: $($Logins -join ', ')"
30exit 0

‍

Use Cases

• Detect unauthorized or unexpected admin logins in real-time.
• Monitor privileged account activity to enhance security and compliance.
• Track remote desktop access for security auditing.
• Reduce the risk of compromised admin credentials by receiving immediate alerts.

Recommendations

• Pair with a script-based monitor in Level to automatically trigger alerts for new admin logins.
• Test before deploying in a production environment to ensure compatibility with your setup.
• Adjust system account exclusions as needed to avoid false positives.
• Regularly review logs and alerts to identify patterns of unauthorized access attempts.
• Integrate with other security tools to automate responses to suspicious login activity.

FAQ

• How can I configure this script to trigger alerts automatically?
  ‍Use Level’s script-based monitor to run this script periodically. If any new admin logins are detected, configure the monitor to generate an alert in Level’s dashboard.

• Can I modify the timeframe for detecting logins?
  ‍Yes, you can adjust (Get-Date).AddHours(-1) to a different time range, such as -2 for two hours or -30 for 30 minutes.

• What if I see false positives from system accounts?
  ‍The script already excludes common system accounts, but you can customize the $SystemAccounts list to exclude additional accounts unique to your environment.

• Can this script be used for compliance auditing?
  ‍Yes, this script helps track privileged account activity, which can be useful for security audits and compliance with regulations like HIPAA, PCI-DSS, and NIST.

• Does this script impact system performance?
  ‍No, it queries the Windows Event Logs efficiently and should have minimal performance impact. However, always test in a controlled environment before full deployment.