Windows Failed Login Script (Any User)

Problem Overview

Failed login attempts can indicate unauthorized access attempts, brute-force attacks, misconfigured credentials, or forgotten passwords. Without real-time monitoring, organizations risk security breaches, account lockouts, or undetected threats. This script helps IT teams proactively detect and respond to suspicious authentication failures before they escalate into serious security incidents.

Description

This script scans Windows Event Logs for failed login attempts (Event ID 4625) in the past hour and extracts the usernames associated with these failures. If any failed logins are detected, it outputs an alert listing the affected accounts. By integrating this script with a script-based monitor in Level, IT teams can receive real-time alerts whenever failed login attempts occur, allowing them to investigate and take appropriate action.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7# Level Library
8# https://level.io/library/script-windows-failed-login-any-user
9#>
10
11$TimeFrame = (Get-Date).AddHours(-1)
12
13# Get failed logon attempts in the last hour
14$FailedLogins = Get-WinEvent -FilterHashtable @{
15    LogName = 'Security'
16    Id = 4625
17    StartTime = $TimeFrame
18} -ErrorAction SilentlyContinue
19
20if ($FailedLogins.Count -gt 0) {
21    $AlertMessage = "ALERT: Multiple failed login attempts detected in the last hour!`n"
22
23    # Extract usernames from the events
24    $FailedLogins | ForEach-Object {
25        $Xml = [xml]$_.ToXml()
26        $Account = $Xml.Event.EventData.Data | Where-Object { $_.Name -eq "TargetUserName" } | Select-Object -ExpandProperty "#text"
27        
28        if ($Account) {
29            $AlertMessage += " - Failed login for account: $Account`n"
30        }
31    }
32
33    Write-Host $AlertMessage.Trim()
34    exit 1
35} else {
36    Write-Host "No failed login attempts detected."
37    exit 0
38}
39

‍

Use Cases

• Detect brute-force attacks attempting to gain unauthorized access.
• Monitor failed login attempts across all user accounts.
• Identify misconfigured accounts causing repeated login failures.
• Enhance security monitoring and compliance auditing.
• Notify IT teams of abnormal authentication activity in real time.

Recommendations

• Pair with a script-based monitor in Level to generate alerts for failed login attempts automatically.
• Test before deploying in a production environment to ensure accurate detection.
• Review login failure patterns to identify potential security threats.
• Adjust log retention policies to store authentication failure records for forensic analysis.
• Integrate with automated responses to temporarily lock accounts after multiple failed attempts.

FAQ

• How does this script detect failed logins?
  ‍It scans Windows Event Logs for Event ID 4625 (failed logins) and extracts the usernames of accounts that failed to authenticate.

• Can I change the detection time window?
  ‍Yes, modify (Get-Date).AddHours(-1) to adjust the detection period, such as -2 for two hours or -30 for 30 minutes.

• What happens if failed logins are detected?
  ‍The script outputs an alert listing the affected accounts and exits with a non-zero status, allowing Level’s monitoring system to trigger an alert.

• Can this script help with compliance requirements?
  ‍Yes, monitoring failed login attempts is crucial for security frameworks like PCI-DSS, NIST, and HIPAA, ensuring organizations detect and respond to unauthorized access attempts.

• Will this script exclude system or service accounts?
  ‍No, it reports all failed login attempts, but you can modify the script to exclude specific accounts if needed.

• Does this script impact system performance?
  ‍No, it efficiently queries event logs and has minimal system impact. However, testing in a controlled environment is recommended before full deployment.