{"id":208687,"date":"2024-01-18T10:55:14","date_gmt":"2024-01-18T10:55:14","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/hitta-misslyckade-inloggningsforsok-windows\/"},"modified":"2024-03-05T11:31:05","modified_gmt":"2024-03-05T11:31:05","slug":"hitta-misslyckade-inloggningsforsok-windows","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/sv\/script-hub\/hitta-misslyckade-inloggningsforsok-windows\/","title":{"rendered":"Hur man hittar misslyckade inloggningsf\u00f6rs\u00f6k i Windows med hj\u00e4lp av PowerShell"},"content":{"rendered":"<p>Att s\u00e4kerst\u00e4lla IT-systemens s\u00e4kerhet \u00e4r en mycket viktig uppgift. Att identifiera misst\u00e4nkta aktiviteter, t.ex. flera misslyckade inloggningsf\u00f6rs\u00f6k, \u00e4r en viktig \u00e5tg\u00e4rd f\u00f6r att minska potentiella hot. Det medf\u00f6ljande skriptet skrivet i PowerShell fungerar som ett m\u00e5ngsidigt verktyg f\u00f6r att hj\u00e4lpa IT-proffs och tj\u00e4nsteleverant\u00f6rer att <strong>f\u00e5 insikter om misslyckade inloggningsh\u00e4ndelser<\/strong>.<\/p>\n<h2>Bakgrund<\/h2>\n<p>Att f\u00f6rst\u00e5 de misslyckade inloggningsf\u00f6rs\u00f6ken p\u00e5 ett system kan ge viktiga insikter f\u00f6r IT-administrat\u00f6rer. De kan uppt\u00e4cka eventuella s\u00e4kerhets\u00f6vertr\u00e4delser, \u00f6vervaka anv\u00e4ndarnas beteende och uppr\u00e4tth\u00e5lla systemets integritet. Det medf\u00f6ljande PowerShell-skriptet h\u00e4mtar effektivt dessa data och erbjuder en robust l\u00f6sning f\u00f6r yrkesverksamma. Vikten av detta verktyg kan inte nog understrykas. Med \u00f6kande hot mot cybers\u00e4kerheten \u00e4r det viktigt f\u00f6r tj\u00e4nsteleverant\u00f6rer och IT-specialister att ha en effektiv metod f\u00f6r att uppt\u00e4cka avvikelser i anv\u00e4ndarinloggningar.<\/p>\n<h2>Manus<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\">#Requires -Version 3.0 -RunAsAdministrator\r\n\r\n&lt;#\r\n.SYNOPSIS\r\n    Returns the number of recent failed login attempts.\r\n.DESCRIPTION\r\n    Returns the number of recent failed login attempts of all users or of a specific user. If a user is specified then just a number is returned.\r\n.EXAMPLE\r\n    No parameters needed.\r\n    Returns all users, of the local machine, with a could of failed login attempts.\r\nOutput Example:\r\nUserName  FailedLoginAttempts\r\n--------  -------------------\r\nFred                        4\r\nBob                         0\r\n.EXAMPLE\r\n     -UserName \"Fred\"\r\n    Returns the number of failed login attempts of the user Fred on the local machine.\r\nOutput Example:\r\n4\r\n.EXAMPLE\r\n     -ComputerName \"FredPC\" -UserName \"Fred\"\r\n    Returns the number of failed login attempts of the user Fred on the computer named FredPC.\r\nOutput Example:\r\n4\r\n.EXAMPLE\r\n     -ComputerName \"FredPC\" -UserName \"Fred\" -Detailed\r\n    Returns the number of failed login attempts of the user Fred on the computer named FredPC, but will more details of each failed and successful logins.\r\nOutput Example:\r\n\r\nTimeGenerated   : 10\/18\/2019 7:52:43 AM\r\nEventID         : 4624\r\nCategory        : 12544\r\nADUsername      : Fred\r\nDomain          : FredPC\r\nUserSID         : S-1-0-0\r\nWorkstation     : -\r\nSourceIP        : -\r\nPort            : -\r\nFailureReason   : Interactive\r\nFailureStatus   : Incorrect password\r\nFailureSubStatus: Other\r\n.EXAMPLE\r\n    PS C:&gt; Monitor-Failed-Password-Attempts.ps1 -ComputerName \"FredPC\" -UserName \"Fred\"\r\n    Returns the number of failed login attempts of the user Fred on the computer named FredPC.\r\nOutput Example:\r\n4\r\n.OUTPUTS\r\n    System.Int32 Number of failed login attempts.\r\n.OUTPUTS\r\n    PSCustomObject List of user names and a count of failed login attempts.\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 7, Windows Server 2012\r\n    If ComputerName is specified, then be sure that the computer that this script is running on has network and permissions to access the Event Log on the remote computer.\r\n    Release Notes:\r\n    Initial Release\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n.COMPONENT\r\n    ManageUsers\r\n#&gt;\r\n\r\nparam (\r\n    # The name of a remote computer to get event logs for failed logins\r\n    [Parameter(Mandatory = $false)]\r\n    [String]\r\n    $ComputerName = [System.Net.Dns]::GetHostName(),\r\n    # A username\r\n    [Parameter(Mandatory = $false)]\r\n    [String]\r\n    $UserName,\r\n    # Returns all relevant events, sorted by TimeGenerated\r\n    [Switch]\r\n    $Detailed\r\n)\r\n\r\n# Support functions\r\n# Returns the matching FailureReason like Incorrect password\r\nfunction Get-FailureReason {\r\n    Param($FailureReason)\r\n    switch ($FailureReason) {\r\n        '0xC0000064' { \"Account does not exist\"; break; }\r\n        '0xC000006A' { \"Incorrect password\"; break; }\r\n        '0xC000006D' { \"Incorrect username or password\"; break; }\r\n        '0xC000006E' { \"Account restriction\"; break; }\r\n        '0xC000006F' { \"Invalid logon hours\"; break; }\r\n        '0xC000015B' { \"Logon type not granted\"; break; }\r\n        '0xc0000070' { \"Invalid Workstation\"; break; }\r\n        '0xC0000071' { \"Password expired\"; break; }\r\n        '0xC0000072' { \"Account disabled\"; break; }\r\n        '0xC0000133' { \"Time difference at DC\"; break; }\r\n        '0xC0000193' { \"Account expired\"; break; }\r\n        '0xC0000224' { \"Password must change\"; break; }\r\n        '0xC0000234' { \"Account locked out\"; break; }\r\n        '0x0' { \"0x0\"; break; }\r\n        default { \"Other\"; break; }\r\n    }\r\n}\r\nfunction Get-LogonType {\r\n    Param($LogonType)\r\n    switch ($LogonType) {\r\n        '0' { 'Interactive'; break; }\r\n        '2' { 'Interactive'; break; }\r\n        '3' { 'Network'; break; }\r\n        '4' { 'Batch'; break; }\r\n        '5' { 'Service'; break; }\r\n        '6' { 'Proxy'; break; }\r\n        '7' { 'Unlock'; break; }\r\n        '8' { 'Networkcleartext'; break; }\r\n        '9' { 'NewCredentials'; break; }\r\n        '10' { 'RemoteInteractive'; break; }\r\n        '11' { 'CachedInteractive'; break; }\r\n        '12' { 'CachedRemoteInteractive'; break; }\r\n        '13' { 'CachedUnlock'; break; }\r\n        Default {}\r\n    }\r\n}\r\n#-Newest $Records\r\n$Events = Get-EventLog -ComputerName $ComputerName -LogName 'security' -InstanceId 4625, 4624 | Sort-Object -Property TimeGenerated | ForEach-Object {\r\n    if ($_.InstanceId -eq 4625) {\r\n        $_ | Select-Object -Property @(\r\n            @{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },\r\n            @{Label = 'EventID'; Expression = { $_.InstanceId } },\r\n            @{Label = 'Category'; Expression = { $_.CategoryNumber } },\r\n            @{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },\r\n            @{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },\r\n            @{Label = 'UserSID'; Expression = { (($_.Message -Split 'rn' | Select-String 'Security ID')[1] -Split 's+')[3] } },\r\n            # @{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },\r\n            @{Label = 'Workstation'; Expression = { $_.ReplacementStrings[13] } },\r\n            @{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[19] } },\r\n            @{Label = 'Port'; Expression = { $_.ReplacementStrings[20] } },\r\n            @{Label = 'LogonType'; Expression = { $_.ReplacementStrings[8] } },\r\n            @{Label = 'FailureStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },\r\n            @{Label = 'FailureSubStatus'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }\r\n        )\r\n    }\r\n    elseif ($_.InstanceId -eq 4624 -and (Get-LogonType($_.ReplacementStrings[8])) -notlike 'Service') {\r\n        $_ | Select-Object -Property @(\r\n            @{Label = 'TimeGenerated'; Expression = { $_.TimeGenerated } },\r\n            @{Label = 'EventID'; Expression = { $_.InstanceId } },\r\n            @{Label = 'Category'; Expression = { $_.CategoryNumber } },\r\n            @{Label = 'Username'; Expression = { $_.ReplacementStrings[5] } },\r\n            @{Label = 'Domain'; Expression = { $_.ReplacementStrings[6] } },\r\n            @{Label = 'UserSID'; Expression = { $_.ReplacementStrings[0] } },\r\n            @{Label = 'Workstation'; Expression = { $_.ReplacementStrings[11] } },\r\n            @{Label = 'SourceIP'; Expression = { $_.ReplacementStrings[18] } },\r\n            @{Label = 'Port'; Expression = { $_.ReplacementStrings[19] } },\r\n            @{Label = 'LogonType'; Expression = { Get-LogonType($_.ReplacementStrings[8]) } },\r\n            @{Label = 'LogonID'; Expression = { Get-FailureReason($_.ReplacementStrings[7]) } },\r\n            @{Label = 'LogonProcess'; Expression = { Get-FailureReason($_.ReplacementStrings[9]) } }\r\n        )\r\n    }\r\n}\r\n\r\nif ($Detailed) {\r\n    if ($UserName) {\r\n        $Events | Where-Object {\r\n            $_.Username -like $UserName\r\n        }\r\n    }\r\n    else {\r\n        $Events | Where-Object {\r\n            $_.Username -notlike \"DWM*\" -and\r\n            $_.Username -notlike \"UMFD*\" -and\r\n            $_.Username -notlike \"SYSTEM\"\r\n        }\r\n    }\r\n}\r\nelse {\r\n    $UserNames = if ($UserName) {\r\n        ($Events | Select-Object -Property Username -Unique).Username | Where-Object {\r\n            $_ -like \"$UserName\"\r\n        }\r\n    }\r\n    else {\r\n        ($Events | Select-Object -Property Username -Unique).Username | Where-Object {\r\n            $_ -notlike \"DWM*\" -and\r\n            $_ -notlike \"UMFD*\" -and\r\n            $_ -notlike \"SYSTEM\"\r\n        }\r\n    }\r\n    \r\n    $UserNames | ForEach-Object {\r\n        $CurrentUserName = $_\r\n        $FailedLoginCount = 0\r\n        for ($i = 0; $i -lt $Events.Count; $i++) {\r\n            if ($Events[$i].EventID -eq 4625 -and $Events[$i].Username -like $CurrentUserName) {\r\n                # User failed to login X times\r\n                # Count the number of failed logins\r\n                $FailedLoginCount++\r\n            }\r\n            elseif ($Events[$i].EventID -eq 4624 -and $Events[$i].Username -like $CurrentUserName) {\r\n                # User logged in successfully\r\n                # Reset the number of failed logins to 0\r\n                $FailedLoginCount = 0\r\n            }\r\n        }\r\n        if ($UserName) {\r\n            # If a UserName was specified, then return only the failed login count\r\n            $FailedLoginCount\r\n        }\r\n        else {\r\n            # If no UserName was specified, then return the user name and failed login count\r\n            [PSCustomObject]@{\r\n                UserName            = $CurrentUserName\r\n                FailedLoginAttempts = $FailedLoginCount\r\n            }\r\n        }\r\n    }\r\n}<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"in-context-cta\"><p>F\u00e5 tillg\u00e5ng till \u00f6ver 300 skript i NinjaOne Dojo<\/p>\n<p><a href=\"https:\/\/www.ninjaone.com\/sv\/kostnadsfri-provperiod-formular\/\">F\u00e5 tillg\u00e5ng till<\/a><\/p>\n<\/div>\n<h2>Detaljerad uppdelning av manuset<\/h2>\n<p>Skriptet h\u00e4mtar data fr\u00e5n h\u00e4ndelseloggarna p\u00e5 en viss dator och riktar in sig p\u00e5 specifika h\u00e4ndelse-ID:n som representerar misslyckade och lyckade inloggningsf\u00f6rs\u00f6k.<\/p>\n<ul>\n<li><strong>Parametrar<\/strong>: Skriptet b\u00f6rjar med att definiera parametrar som <strong>ComputerName<\/strong>, <strong>UserName<\/strong> och <strong>Detailed<\/strong>. Detta g\u00f6r att anv\u00e4ndaren kan ange maskin, anv\u00e4ndare och detaljniv\u00e5 f\u00f6r inloggningsf\u00f6rs\u00f6ken.<\/li>\n<li><strong>Funktioner<\/strong>: Tv\u00e5 funktioner, <strong>Get-FailureReason<\/strong> och <strong>Get-LogonType<\/strong>, omvandlar kodad information fr\u00e5n h\u00e4ndelseloggarna till l\u00e4sbara data om typen av inloggning och orsaken till en misslyckad inloggning.<\/li>\n<li><strong>H\u00e4mta h\u00e4ndelser<\/strong>: Skriptet h\u00e4mtar sedan h\u00e4ndelseloggarna och filtrerar dem f\u00f6r att endast beh\u00e5lla n\u00f6dv\u00e4ndig information. Detta inneb\u00e4r att du v\u00e4ljer de instanser som har relevanta Event ID.<\/li>\n<li><strong>Bearbetning<\/strong>: Beroende p\u00e5 om detaljerade data beg\u00e4rs ger skriptet antingen en omfattande sammanst\u00e4llning av varje inloggningsf\u00f6rs\u00f6k eller en sammanfattning av misslyckade f\u00f6rs\u00f6k f\u00f6r varje anv\u00e4ndare.<\/li>\n<\/ul>\n<h2>Potentiella anv\u00e4ndningsomr\u00e5den<\/h2>\n<p>T\u00e4nk dig en IT-administrat\u00f6r p\u00e5 ett medelstort f\u00f6retag. IT-avdelningen har nyligen noterat en \u00f6kning av antalet misslyckade inloggningsf\u00f6rs\u00f6k, s\u00e4rskilt under icke arbetstid. Med hj\u00e4lp av skriptet kan administrat\u00f6ren snabbt kontrollera vilka anv\u00e4ndare som har misslyckats med inloggningsf\u00f6rs\u00f6ken och hur ofta. N\u00e4r de uppt\u00e4ckte att ett enda anv\u00e4ndarkonto hade flera misslyckade f\u00f6rs\u00f6k under en kort tidsperiod kunde de dra slutsatsen att detta konto kan ha varit m\u00e5ltavla. P\u00e5 s\u00e5 s\u00e4tt bidrar skriptet till tidig uppt\u00e4ckt och snabb \u00e5tg\u00e4rd.<\/p>\n<h2>Alternativt tillv\u00e4gag\u00e5ngss\u00e4tt<\/h2>\n<p>Det finns flera metoder f\u00f6r att sp\u00e5ra misslyckade inloggningsf\u00f6rs\u00f6k. Med Windows inbyggda s\u00e4kerhetsgranskning kan du t.ex. visa s\u00e4kerhetsloggarna via H\u00e4ndelsevisaren. \u00c4ven om denna metod \u00e4r okomplicerad kan den vara tidskr\u00e4vande. V\u00e5rt PowerShell-skript effektiviserar processen och erbjuder en mer \u00e4ndam\u00e5lsenlig och anpassningsbar l\u00f6sning.<\/p>\n<h2>Vanliga fr\u00e5gor<\/h2>\n<ul>\n<li>Hur identifierar skriptet en h\u00e4ndelse med misslyckad inloggning?<br \/>\nSkriptet letar efter specifika h\u00e4ndelse-ID:n i h\u00e4ndelseloggen, t.ex. 4625 f\u00f6r misslyckade inloggningar.<\/li>\n<li>Kan jag h\u00e4mta data fr\u00e5n en fj\u00e4rransluten maskin?<br \/>\nJa, genom att ange parametern <strong>ComputerName<\/strong> kan du h\u00e4mta data fr\u00e5n en fj\u00e4rrdator.<\/li>\n<\/ul>\n<h2>Konsekvenser<\/h2>\n<p>Genom att f\u00f6rst\u00e5 antalet misslyckade inloggningsf\u00f6rs\u00f6k kan IT-administrat\u00f6rer f\u00f6rebygga potentiella s\u00e4kerhets\u00f6vertr\u00e4delser. Avvikelser i inloggningsm\u00f6nster \u00e4r ofta ett tidigt tecken p\u00e5 skadlig aktivitet. Genom att agera p\u00e5 dessa data kan yrkesverksamma d\u00e4rf\u00f6r st\u00e4rka sina system mot potentiella hot.<\/p>\n<h2>Rekommendationer<\/h2>\n<ul>\n<li>Kontrollera att du har n\u00f6dv\u00e4ndiga beh\u00f6righeter f\u00f6r att h\u00e4mta h\u00e4ndelseloggar.<\/li>\n<li>K\u00f6r skriptet regelbundet, s\u00e4rskilt f\u00f6r system som inneh\u00e5ller k\u00e4nslig information.<\/li>\n<li>Unders\u00f6k eventuella m\u00f6nster av misslyckade inloggningar och meddela de ber\u00f6rda anv\u00e4ndarna.<\/li>\n<\/ul>\n<h2>Avslutande tankar<\/h2>\n<p>I en tid med allt fler cyberhot \u00e4r verktyg som v\u00e5rt PowerShell-skript oumb\u00e4rliga. F\u00f6r en helt\u00e4ckande s\u00e4kerhetsl\u00f6sning kan plattformar som NinjaOne integreras, vilket s\u00e4kerst\u00e4ller <a href=\"https:\/\/www.ninjaone.com\/sv\/endpoint-hantering\/fjarrovervakning-och-varningar\">\u00f6vervakning och hantering i realtid<\/a>. NinjaOne, i kombination med proaktiva skript som det som diskuterats, ger ytterligare skydd mot cyberhot.<\/p>\n","protected":false},"author":35,"featured_media":207208,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"no","_lmt_disable":""},"operating_system":[4212],"use_cases":[4257],"class_list":["post-208687","script_hub","type-script_hub","status-publish","has-post-thumbnail","hentry","script_hub_category-windows"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/script_hub\/208687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/comments?post=208687"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/media\/207208"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/media?parent=208687"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/operating_system?post=208687"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/sv\/wp-json\/wp\/v2\/use_cases?post=208687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}