Back to Resources

Level Verified

Windows Unauthorized Admin Login Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux

Problem Overview

Unauthorized administrator logins pose a significant security risk, potentially leading to data breaches, system compromises, or compliance violations. Manually monitoring these logins is inefficient and leaves gaps in security. This script automates the detection of admin logins, filtering out authorized users and triggering alerts only when an unauthorized admin accesses the system, enabling IT teams to take immediate action.

Description

This script scans Windows Event Logs for successful administrator logins (Event ID 4624) within the last hour, specifically identifying interactive (local console) and remote desktop (RDP) logins. It cross-references detected logins against a predefined list of authorized admins stored in a Level custom field (cf_authorized_admins). System accounts are excluded to reduce false positives. If an unauthorized admin is detected, the script generates an alert. Pairing this script with a script-based monitor in Level ensures real-time alerts whenever unauthorized admin activity is detected.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7# Level Library
8# https://level.io/library/script-windows-unauthorized-admin-login
9#>
10
11# Define allowed admin users
12$AllowedAdmins = "{{cf_authorized_admins}}"
13$AllowedAdminsArray = $AllowedAdmins -split ", "
14
15# Define known system accounts to ignore
16$SystemAccounts = @("DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1", "UMFD-2", "UMFD-3", "SYSTEM")
17
18# Get the current time and subtract one hour to filter events
19$StartTime = (Get-Date).AddHours(-1)
20
21# Get recent successful logins (Event ID 4624) within the last hour and filter for interactive/RDP logins
22$Logins = Get-WinEvent -FilterHashtable @{
23    LogName = 'Security'
24    ID = 4624
25    StartTime = $StartTime
26} | Where-Object {
27    # Extract logon type
28    $LogonType = $_.Properties[8].Value
29    # Only check interactive (2) and remote desktop (10) logins
30    ($LogonType -eq 2 -or $LogonType -eq 10)
31} | ForEach-Object {
32    $_.Properties[5].Value  # Extract the account name
33} | Where-Object { $_ -notin $SystemAccounts } | Select-Object -Unique
34
35# Debug: Show detected logins
36Write-Host "Detected Admin Logins in Last Hour: $($Logins -join ', ')"
37
38# Check if any unauthorized admin has logged in
39$UnauthorizedAdmins = $Logins | Where-Object { $_ -notin $AllowedAdminsArray }
40
41if ($UnauthorizedAdmins) {
42    Write-Host "ALERT: Unauthorized admin login detected: $($UnauthorizedAdmins -join ', ')"
43    exit 1
44}
45
46Write-Host "All admin logins in the last hour are authorized."
47exit 0

Use Cases

  • Detect unauthorized administrator logins in real-time.
  • Automate security monitoring and prevent unauthorized access.
  • Maintain strict oversight of privileged accounts for compliance audits.
  • Enhance security by integrating alerts with automated remediation workflows.

Recommendations

  • Pair with a script-based monitor in Level to generate alerts when unauthorized admin logins occur.
  • Define authorized admins using a Level custom field (Authorized Admins - cf_authorized_admins) to ensure accurate monitoring.
  • Test before deploying in a production environment to validate compatibility.
  • Regularly review and update the authorized admin list to reflect personnel or policy changes.
  • Integrate with security automation tools to respond automatically to unauthorized access attempts.

FAQ

  • How does this script determine unauthorized logins?
    The script compares detected admin logins against the list of authorized admins stored in a Level custom field (cf_authorized_admins). Any login not in this list triggers an alert.
  • Can I modify the time window for detection?
    Yes, you can adjust (Get-Date).AddHours(-1) to a different range, such as -2 for two hours or -30 for 30 minutes.
  • What happens if an unauthorized login is detected?
    The script outputs an alert message and exits with a non-zero status, which can be used to trigger alerts in Level’s monitoring system.
  • How do I add or remove authorized admins?
    Update the cf_authorized_admins custom field in Level with a comma-separated list of authorized usernames.
  • Will this script trigger alerts for system accounts?
    No, it automatically excludes common system accounts like SYSTEM, DWM-1, and UMFD-0 to prevent false positives.
  • Does this script impact system performance?
    No, it queries the Windows Event Logs efficiently and should have minimal performance impact. However, testing in a controlled environment is recommended before full deployment.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

Windows - Admin Logins Alert (Exclude Authorized)

Description

This PowerShell script checks recent admin logins against a predefined list of allowed admins. If it detects an unauthorized admin login, it prints an alert message and exits with a status code of 1.

Language

PowerShell

Timeout (In Seconds)

300

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources