Send realtime Windows Login Audit trail to Telegram messenger
This is a windows scheduled task to run a powershell script whenever a successful (Event ID 4624) or failed (Event ID 4625) login event is detected in the windows event log.
The powershell script will execute and parse the event log to find the event that triggered the scheduled task. The valuable information is then sent to a Telegram Chat Bot. (Please add your own directly into the code)
You will be able to get instant Telegram messages whenever someone successfully or unsuccessfully tries to login to your Windows Computer. This allows you to improve your security posture and become aware of malicious attempts to access your resources, whether manually attempted, or done by a bot with a passwordlist to attempt brute force logins to your Windows Machine.
To install, import the XML scheduled task and allow it to run as an administrative user. Point the powershell argument to the location of where you saved the edited .ps1 script file.
Edit the .ps1 script directly, and add your telegram bot token and ID in the script.
Pull requests or improvement suggestions welcome as this is Beta code.
Detailed instructions for setting up the Telegram Bot: https://www.forsomedefinition.com/automation/creating-telegram-bot-notifications/
Simplified instructions:
https://api.telegram.org/bot<<<TOKEN>>>/getUpdates
https://api.telegram.org/bot<<<TOKEN>>>/sendMessage?chat_id=<<<-GROUPID>>>&text=Hello+World
set-executionpolicy remotesigned
Run secpol.msc on the machine and navigate to Security Settings > Local Policies > Audit Policy and change the "Audit account logon events" and "Audit logon events" policies to audit SUCCESS and FAILURE events
NOTE: The scheduled task is created to filter out 4624 and 4625 events as follows, since a successful execution of the scheduled task itself, will generate an event in the log, thus without the filter, the task will enter into and endless loop.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[EventID=4624]
and
EventData[Data[@Name='LogonType'] != '4']
and
EventData[Data[@Name='LogonType'] != '5']
and
EventData[Data[@Name='SubjectUserSid']!='S-1-0-0']
and
EventData[Data[@Name='TargetDomainName']!='Window Manager']
and
EventData[Data[@Name='TargetDomainName']!='Font Driver Host']
and
( System[TimeCreated[timediff(@SystemTime) <= 60000]])
]
or
*[System[EventID=4625]
and
EventData[Data[@Name='LogonType'] != '4']
and
EventData[Data[@Name='LogonType'] != '5']
and
( System[TimeCreated[timediff(@SystemTime) <= 60000]])
]
</Select>
</Query>
</QueryList>
runas /user:test cmd