Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Failed logon reporter with a photo
$NewFailedLogin = $null
$StartDate = get-date
$CamPath = "C:\CommandCam"
$SmtpServer = ""
$From = ""
$to = ""
$Cred = Import-CliXml $CamPath\cred.clixml
$CurrentAudit = (auditpol /get /subcategory:"Logon")[4]
if( -not $CurrentAudit.Contains("Failure")){
auditpol /set /subcategory:"Logon" /failure:enable
while ($true){
$NewFailedLogin = (Get-EventLog -LogName security -Newest 1 -After $StartDate -instanceID 4625)
if ($NewFailedLogin -ne $null){
cd $CamPath
sleep 1
Send-MailMessage -SmtpServer $SmtpServer -Body ("Failed Logon Detected at " + $NewFailedLogin.TimeGenerated) -From $from -Subject "Failed Logon Detected" -To $To -Credential $Cred -Verbose -UseSsl -attachment $CamPath\image.bmp
$NewFailedLogin = $null
$StartDate = get-date
sleep 5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.