7 Essential PowerShell Scripts For Detecting Suspicious Activity In Event Logs

Introduction

Cybersecurity threats often leave traces in system event logs before triggering traditional antivirus alerts. PowerShell enables IT professionals and security teams to proactively analyze Windows event logs for signs of compromise, unauthorized access, or policy violations. These scripts help automate threat detection for Blue Teams and security analysts.

Learning Objectives

Identify failed login attempts and brute-force attacks
Detect anomalous account creation or privilege escalation
Monitor suspicious process execution paths
Automate SIEM log enrichment and alerting

1. Detecting Failed Login Attempts

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-3)} | 
Select-Object TimeCreated, @{Name="Usuario";Expression={($_.Properties[bash]).Value}}, Message

Steps:

Filters Security log for Event ID 4625 (failed logins).
Extracts timestamps, usernames, and error messages from the last 3 days.
Use this to identify brute-force attacks or credential stuffing.

2. Successful Logins Outside Business Hours

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-1)} | 
Where-Object { $<em>.TimeCreated.Hour -lt 6 -or $</em>.TimeCreated.Hour -gt 20 } | 
Select-Object TimeCreated, Message

Steps:

1. Queries Event ID 4624 (successful logins).

Filters for logins between 6 PM–6 AM (adjust hours as needed).

3. Highlights potential unauthorized access or compromised accounts.

3. New Account Creation Monitoring

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=(Get-Date).AddDays(-7)} | 
Select-Object TimeCreated, Message

Steps:

1. Checks Event ID 4720 (new user accounts).

2. Audits unexpected account creation (e.g., backdoor accounts).

4. Security Group Modifications

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4732,4756; StartTime=(Get-Date).AddDays(-7)} | 
Select-Object TimeCreated, Message

Steps:

Tracks Event IDs 4728 (group membership changes), 4732 (local group updates), and 4756 (domain group changes).

2. Detects privilege escalation attempts.

5. Suspicious Process Execution Paths

Command:

Get-WinEvent -LogName Security -FilterXPath "[System[(EventID=4688)]]" | 
Where-Object { $<em>.Message -like "AppData" -or $</em>.Message -like "Temp" } | 
Select-Object TimeCreated, Message

Steps:

Scans for Event ID 4688 (new process creation).
Flags processes running from Temp or AppData (common malware locations).

6. Group Policy Object (GPO) Tampering

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136; StartTime=(Get-Date).AddDays(-5)} | 
Where-Object { $_.Message -like "Group Policy" } | 
Select-Object TimeCreated, Message

Steps:

1. Monitors Event ID 5136 (directory service changes).

Alerts on unauthorized GPO modifications (e.g., disabling security policies).

7. Cross-Device Login Correlation

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-1)} | 
Select-Object TimeCreated, @{Name="Usuario";Expression={($<em>.Properties[bash]).Value}}, @{Name="Origen";Expression={($</em>.Properties[bash]).Value}} | 
Group-Object Usuario

Steps:

Groups successful logins (4624) by user and source IP/hostname.
Identifies credential reuse across multiple devices (potential lateral movement).

Automating Alerts

Integrate scripts with SIEM tools or trigger email alerts:

Send-MailMessage -To "[email protected]" -Subject "Suspicious Event Detected" -Body "Event ID 4625 (Failed Login)" -SmtpServer "smtp.example.com"

What Undercode Says

Key Takeaways:

Proactive Defense: Log analysis often reveals threats before endpoint protection reacts.
Automation is Critical: Manual log reviews are impractical at scale.
Customization Matters: Tailor scripts to your environment (e.g., adjust time ranges or event IDs).

Analysis:

PowerShell’s deep integration with Windows makes it ideal for real-time security monitoring. These scripts address MITRE ATT&CK techniques like Brute Force (T1110), Account Manipulation (T1098), and Lateral Movement (T1021). Future advancements may integrate these with AI-driven anomaly detection, but the core logic remains vital for threat hunting.

Prediction:

As attackers evolve, log-based detection will grow in importance, especially with cloud and hybrid environments. Expect tighter integration between PowerShell, Azure Sentinel, and open-source tools like Elastic SIEM.

Tags: BlueTeam ThreatHunting WindowsSecurity PowerShell

IT/Security Reporter URL:

Reported By: Carlos Bartels – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Introduction

Learning Objectives

1. Detecting Failed Login Attempts

Command:

Steps:

2. Successful Logins Outside Business Hours

Command:

Steps:

1. Queries Event ID 4624 (successful logins).

3. Highlights potential unauthorized access or compromised accounts.

3. New Account Creation Monitoring

Command:

Steps:

1. Checks Event ID 4720 (new user accounts).

2. Audits unexpected account creation (e.g., backdoor accounts).

4. Security Group Modifications

Command:

Steps:

2. Detects privilege escalation attempts.

5. Suspicious Process Execution Paths

Command:

Steps:

6. Group Policy Object (GPO) Tampering

Command:

Steps:

1. Monitors Event ID 5136 (directory service changes).

7. Cross-Device Login Correlation

Command:

Steps:

Automating Alerts

What Undercode Says

Key Takeaways:

Analysis:

Prediction:

Tags: BlueTeam ThreatHunting WindowsSecurity PowerShell

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: