Back to Resources
Level
Script
Security
Unauthorized administrator logins pose a significant security risk, potentially leading to data breaches, system compromises, or compliance violations. Manually monitoring these logins is inefficient and leaves gaps in security. This script automates the detection of admin logins, filtering out authorized users and triggering alerts only when an unauthorized admin accesses the system, enabling IT teams to take immediate action.
This script scans Windows Event Logs for successful administrator logins (Event ID 4624) within the last hour, specifically identifying interactive (local console) and remote desktop (RDP) logins. It cross-references detected logins against a predefined list of authorized admins stored in a Level custom field (cf_authorized_admins). System accounts are excluded to reduce false positives. If an unauthorized admin is detected, the script generates an alert. Pairing this script with a script-based monitor in Level ensures real-time alerts whenever unauthorized admin activity is detected.
Script
1<#
2This resource is provided as a convenience for Level users. We cannot
3guarantee it will work in all environments. Please test before deploying
4to your production environment. We welcome contributions to our community
5library
6
7# Level Library
8# https://level.io/library/script-windows-unauthorized-admin-login
9#>
10
11# Define allowed admin users
12$AllowedAdmins = "{{cf_authorized_admins}}"
13$AllowedAdminsArray = $AllowedAdmins -split ", "
14
15# Define known system accounts to ignore
16$SystemAccounts = @("DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1", "UMFD-2", "UMFD-3", "SYSTEM")
17
18# Get the current time and subtract one hour to filter events
19$StartTime = (Get-Date).AddHours(-1)
20
21# Get recent successful logins (Event ID 4624) within the last hour and filter for interactive/RDP logins
22$Logins = Get-WinEvent -FilterHashtable @{
23 LogName = 'Security'
24 ID = 4624
25 StartTime = $StartTime
26} | Where-Object {
27 # Extract logon type
28 $LogonType = $_.Properties[8].Value
29 # Only check interactive (2) and remote desktop (10) logins
30 ($LogonType -eq 2 -or $LogonType -eq 10)
31} | ForEach-Object {
32 $_.Properties[5].Value # Extract the account name
33} | Where-Object { $_ -notin $SystemAccounts } | Select-Object -Unique
34
35# Debug: Show detected logins
36Write-Host "Detected Admin Logins in Last Hour: $($Logins -join ', ')"
37
38# Check if any unauthorized admin has logged in
39$UnauthorizedAdmins = $Logins | Where-Object { $_ -notin $AllowedAdminsArray }
40
41if ($UnauthorizedAdmins) {
42 Write-Host "ALERT: Unauthorized admin login detected: $($UnauthorizedAdmins -join ', ')"
43 exit 1
44}
45
46Write-Host "All admin logins in the last hour are authorized."
47exit 0
Windows - Admin Logins Alert (Exclude Authorized)
This PowerShell script checks recent admin logins against a predefined list of allowed admins. If it detects an unauthorized admin login, it prints an alert message and exits with a status code of 1.
PowerShell
300
Local system
Explore more automations, scripts, and policies to further enhance your IT operations.