Skip to content

Send realtime Windows Login Audit trail to Telegram messenger

License

Notifications You must be signed in to change notification settings

jacauc/WinLoginAudit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Receive instant SUCCESSFUL or FAILED windows login attempt notifications on your Telegram chat app (Android/IOS/Windows/MAC)

Donate Bitcoin

This is a windows scheduled task to run a powershell script whenever a successful (Event ID 4624) or failed (Event ID 4625) login event is detected in the windows event log.

The powershell script will execute and parse the event log to find the event that triggered the scheduled task. The valuable information is then sent to a Telegram Chat Bot. (Please add your own directly into the code)

You will be able to get instant Telegram messages whenever someone successfully or unsuccessfully tries to login to your Windows Computer. This allows you to improve your security posture and become aware of malicious attempts to access your resources, whether manually attempted, or done by a bot with a passwordlist to attempt brute force logins to your Windows Machine.

To install, import the XML scheduled task and allow it to run as an administrative user. Point the powershell argument to the location of where you saved the edited .ps1 script file.

Edit the .ps1 script directly, and add your telegram bot token and ID in the script.

Pull requests or improvement suggestions welcome as this is Beta code.

Create a bot

Detailed instructions for setting up the Telegram Bot: https://www.forsomedefinition.com/automation/creating-telegram-bot-notifications/

Simplified instructions:

  1. Use telegram
  2. Chat with @botfather
  3. Type /newbot
  4. Give your bot a name... e.g. mywinloginaudit
  5. Give your bot a username... e.g. mywinloginauditbot
  6. You will get a message like this:

2018-01-06_15-53-12

  1. RECORD THE TOKEN SHOWN IN THE MESSAGE
  2. Start a chat with your bot and type /start
  3. Type a test message for the bot like "hello"
  4. Exit aforementioned chat and create a Telegram Group conversation. Call it something like "System Notifications"
  5. Invite your bot to the group.
  6. Access the following page (insert your bot's TOKEN and remove the <<< and >>> characters):
https://api.telegram.org/bot<<<TOKEN>>>/getUpdates
  1. Look for the group's ID as shown in green below. The group ID will normally be preceded by a minus sign. RECORD THE GROUPID:

2018-01-06_16-06-23

  1. Do a test - You should now get a hello world message in the telegram group from your bot. If this didn't work, check steps 1-11 again.
https://api.telegram.org/bot<<<TOKEN>>>/sendMessage?chat_id=<<<-GROUPID>>>&text=Hello+World
  1. Keep your GROUPID and TOKEN and replace the values accordingly in the .ps1 powershell script file.

Enable Powershell Scripts

  1. Open PowerShell as an Administrator on the windows machine
  2. Type:
set-executionpolicy remotesigned
  1. Type A and press Enter

2018-01-06_16-30-40

Edit Security Policy

Run secpol.msc on the machine and navigate to Security Settings > Local Policies > Audit Policy and change the "Audit account logon events" and "Audit logon events" policies to audit SUCCESS and FAILURE events

2018-01-06_15-17-58

Import the Scheduled task XML

  1. Open Windows Task Scheduler
  2. Select "Import Task"

2018-01-06_16-34-00

  1. Import the MonitorLoginsTask.XML file
  2. Change the task name if necessary
  3. On the "Actions" tab, ensure the parameter of the Powershell action points to the actual location of the edited LoginAudit.ps1 file (your TOKEN and GROUPID should already be saved into this file.)
  4. On the "General" tab, click on "Change User or Group" and select a local administrative user.
  5. Click OK and type the correct password for aforementioned user.

NOTE: The scheduled task is created to filter out 4624 and 4625 events as follows, since a successful execution of the scheduled task itself, will generate an event in the log, thus without the filter, the task will enter into and endless loop.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
	*[System[EventID=4624]
	and
	EventData[Data[@Name='LogonType'] != '4']
	and 
	EventData[Data[@Name='LogonType'] != '5']
	and
	EventData[Data[@Name='SubjectUserSid']!='S-1-0-0']
	and
	EventData[Data[@Name='TargetDomainName']!='Window Manager']
	and
	EventData[Data[@Name='TargetDomainName']!='Font Driver Host']
	and
	( System[TimeCreated[timediff(@SystemTime) &lt;= 60000]])
	]
	
	or
	
	*[System[EventID=4625] 
	and
	EventData[Data[@Name='LogonType'] != '4']
	and 
	EventData[Data[@Name='LogonType'] != '5']
	and
	( System[TimeCreated[timediff(@SystemTime) &lt;= 60000]])
	]
  </Select>
  </Query>
</QueryList>

Test it out

  1. Open a command prompt window and type:
runas /user:test cmd
  1. Press Enter, Type any password and press Enter again
  2. You should now get an instant telegram message indicating the failed login attempt

2018-01-06_16-40-22

Donate Bitcoin