Overview

This project focuses on building a PowerShell-based automation to monitor Windows Event Logs — specifically targeting failed login attempts (Event ID 4625). The script reads the Security log, extracts recent failed logins, and sends a real-time email alert if any are found. It runs silently in the background every 5 minutes using Task Scheduler.

This project showcases scripting, secure credential handling, system internals, and process automation — essential skills for any cybersecurity or IT professional.

🛠️ Applications

• Detect brute-force or unauthorized login attempts

• Build a lightweight Host Intrusion Detection System (HIDS)

• Integrate into enterprise monitoring pipelines

• Demonstrate scripting, automation, and alerting skills on a resume or portfolio

🧪 Tools & Technologies Used

• PowerShell (Core logic + SecureString handling)

• Windows Event Viewer (source for logs)

• Task Scheduler (for background automation)

• Gmail SMTP (for sending alerts)

• Secure credential storage with Export-Clixml / Import-Clixml

⚙️ Script Behavior (How It Works)

1. Sets a rolling time window (last 5 minutes)

2. Queries the Security log for Event ID 4625 (failed login attempts)

3. If any are found:

   • Builds an alert email with details like timestamp and attempted account

   • Sends the email via Gmail SMTP

4. Scheduled to run automatically every 5 minutes using Windows Task Scheduler

🔐 Securing Your Gmail Password

Instead of hardcoding sensitive information like SMTP credentials, I used PowerShell’s secure string encryption.

🕒 Automating with Task Scheduler

To ensure this runs every 5 minutes:

• Created a Task in Task Scheduler with:

  • “Run whether user is logged on or not”

  • “Run with highest privileges”

  • Scheduled to repeat every 5 minutes indefinitely

• Set execution policy to Bypass so PowerShell could run without interruption:

				
					powershell.exe -ExecutionPolicy Bypass -File "C:PathToScript.ps1"

				
			

❗ Challenges I Faced

• Task Scheduler doesn’t accept PINs — I had to use my Microsoft account password

• Windows wouldn’t allow me to reset my user password (System error 8646) because the account was tied to Microsoft

• Couldn’t use my Microsoft email (@outlook.com) directly in Task Scheduler — had to use the local alias

• SMTP errors (Send-MailMessage: Unable to connect to remote server) required Gmail App Passwords and secure connection setup

What I Learned from this project

• Deepened my understanding of Windows log architecture

• Built secure, automated alerting workflows using PowerShell

• Learned the difference between local vs Microsoft accounts in system contexts

• Understood secure credential handling for scripting environments