Keeping a close eye on the security of our systems is paramount. With attackers growing more sophisticated and persistent, one of the signs of potential compromise or attempts thereof can be a surge in invalid login attempts. To detect these potential security breaches, system administrators can rely on the powerful capabilities of PowerShell on Windows systems. In this blog post, we’ll guide you on how to use PowerShell to generate a report of all invalid logins on a computer.
Understanding the Event Viewer
Before diving into PowerShell, it’s crucial to understand where this information about logins is stored: the Windows Event Viewer. Specifically, invalid login attempts are typically logged as event ID 4625 in the Security logs.
Using PowerShell to Fetch Invalid Logins
With an understanding of where the data resides, we can use PowerShell to extract and report it.
Start PowerShell with Admin Rights
Begin by launching PowerShell as an administrator. This is essential because accessing security logs often requires elevated permissions.
Fetch Invalid Login Attempts
Use the Get-EventLog cmdlet to filter out the specific event ID associated with failed login attempts:
$invalidLogins = Get-EventLog -LogName Security -InstanceId 4625
Process and Organize the Data
Invalid login attempts can generate a lot of data, especially on a busy server or a frequently targeted system. To make this data more digestible, consider extracting the most relevant information:
$report = $invalidLogins | ForEach-Object {
[PSCustomObject]@{
Time = $_.TimeGenerated;
Username = $_.ReplacementStrings[5];
IPAddress = $_.ReplacementStrings[18];
}
}
Outputting the Report
To the Console: Simply type $report and press Enter to view the organized data in your PowerShell session.
To a CSV File: If you prefer to have a file for archival or for sharing, you can export this data to a CSV:
$report | Export-Csv -Path "C:\path\to\your\output.csv" -NoTypeInformation
Automation
For ongoing monitoring, consider creating a scheduled task that runs this PowerShell script daily or weekly. Automate it to send alerts or save reports periodically, ensuring that you are always on top of any unusual activity.
Conclusion
While it’s true that a failed login can occasionally be a genuine mistake (a forgotten password or a typo), multiple failed login attempts, especially in a short time span, can be a sign of a more significant threat. By leveraging PowerShell to report on these attempts, system administrators can remain vigilant and proactive against potential security breaches. Remember, in the realm of cybersecurity, being proactive rather than reactive can make all the difference!