Windows Failed Admin Login Script

Problem Overview

Repeated failed login attempts on administrator accounts can indicate brute-force attacks, unauthorized access attempts, or misconfigured credentials. Monitoring these failed logins in real-time helps IT professionals and MSPs quickly identify and mitigate potential security threats before they lead to a breach.

Description

This script scans Windows Event Logs for failed login attempts (Event ID 4625) within the last hour and cross-references the failed attempts against a list of administrator accounts. If any failed login attempts are detected for admin users, the script generates an alert, allowing IT teams to investigate and respond proactively. By integrating this script with a script-based monitor in Level, organizations can receive real-time alerts whenever unauthorized admin login attempts occur.

Script

<#
Level Library
https://level.io/library/script-windows-failed-admin-login
Modified to alert only on real failed admin interactive logins
#>

$TimeFrame = (Get-Date).AddHours(-1)

# Get local admin SIDs
$AdminSIDs = Get-LocalGroupMember -Group "Administrators" |
    Where-Object { $_.ObjectClass -eq "User" } |
    Select-Object -ExpandProperty SID

# Pull failed logon events
$FailedLogins = Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4625
    StartTime = $TimeFrame
} -ErrorAction SilentlyContinue

if (-not $FailedLogins) {
    Write-Host "No failed admin login attempts detected."
    exit 0
}

$Alerts = @()

foreach ($Event in $FailedLogins) {
    $Xml = [xml]$Event.ToXml()
    $Data = $Xml.Event.EventData.Data

    $Status    = ($Data | Where-Object { $_.Name -eq "Status" }).'#text'
    $LogonType = ($Data | Where-Object { $_.Name -eq "LogonType" }).'#text'
    $TargetSID = ($Data | Where-Object { $_.Name -eq "TargetUserSid" }).'#text'
    $Username  = ($Data | Where-Object { $_.Name -eq "TargetUserName" }).'#text'

    # Skip expired password attempts
    if ($Status -eq "0xc000010b") { continue }

    # Only interactive or RDP logons
    if ($LogonType -notin @("2", "10")) { continue }

    # Ignore system and virtual accounts
    if ($Username -match '^(DWM-|UMFD-|SYSTEM$)') { continue }

    # Must be an admin SID
    if ($AdminSIDs -contains $TargetSID) {
        $Alerts += "Failed admin login: $Username (LogonType $LogonType)"
    }
}

if ($Alerts.Count -gt 0) {
    Write-Host "ALERT: Failed admin login attempts detected:`n$($Alerts -join "`n")"
    exit 1
}

Write-Host "No failed admin login attempts detected."
exit 0

Use Cases

• Detect brute-force attacks targeting administrator accounts.
• Monitor for unauthorized access attempts by internal or external threats.
• Enhance security logging and compliance auditing.
• Identify misconfigured or outdated credentials causing repeated login failures.

Recommendations

• Pair with a script-based monitor in Level to generate alerts when failed admin login attempts occur.
• Test before deploying in a production environment to ensure accurate detection.
• Regularly review failed login logs to identify patterns of suspicious activity.
• Consider automated remediation by locking accounts with excessive failed attempts.
• Ensure proper log retention policies to maintain historical security data for auditing.

FAQ

• How does this script identify failed admin logins?
  ‍It scans Windows Event Logs for Event ID 4625 (failed logins) and filters the results against a list of administrator accounts retrieved from the local Administrators group.

• Can I change the time window for detection?
  ‍Yes, modify (Get-Date).AddHours(-1) to adjust the detection period, such as -2 for two hours or -30 for 30 minutes.

• What happens if failed admin logins are detected?
  ‍The script outputs an alert message and exits with a non-zero status, allowing Level’s monitoring system to trigger an alert.

• Can this script help with compliance requirements?
  ‍Yes, monitoring failed admin login attempts is critical for security frameworks like NIST, PCI-DSS, and HIPAA, helping organizations track and mitigate unauthorized access attempts.

• Does this script exclude normal user login failures?
  ‍Yes, it specifically filters failed logins for administrator accounts to reduce noise and focus on high-risk events.

• Will this script impact system performance?
  ‍No, it queries event logs efficiently and has minimal system impact. However, always test before deploying to production.