-
Notifications
You must be signed in to change notification settings - Fork 0
Investigate TotalFailedLogins
phbits edited this page Mar 10, 2021
·
3 revisions
When the TotalFailedLogins threshold has been met or exceeded, it can be an indicator of distributed brute force or distributed password spraying. The first step is to identify the IP addresses involved and their failed login count.
Depending on how thresholds are set, a single client IP address could also trigger this threshold creating a false-positive. For this reason, a hashtable called ClientIpList is included with the results. It includes IP addresses exceeding 20% of the threshold as they should be the major contributors to tripping this threshold. It also prevents having a lengthy list of IP addresses with just a single failed login.
Suppose the following was identified by WebsiteFailedLogins.
TotalFailedLogins = 100
Sitename = W3SVC2
IISLogPath = D:\inetpub\logs\LogFiles\W3SVC2
Authentication = Windows
HttpResponse = 401
Start = 2019-01-01T18:30:00Z
End~ = 2019-01-01T19:00:10Z- Update the following Logparser query with settings from the alert based on the authentication being used. Save it as
PerIPFailedLogins.sql.
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM 'D:\inetpub\logs\LogFiles\W3SVC2\*'
WHERE s-sitename LIKE 'W3SVC2'
AND sc-status = 401
AND TO_TIMESTAMP(date,time)
BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql ---- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM D:\inetpub\logs\LogFiles\W3SVC2\*
WHERE s-sitename LIKE 'W3SVC2'
AND sc-status = 401
AND cs-uri-stem LIKE '/login.aspx'
AND cs-method LIKE 'POST'
AND TO_TIMESTAMP(date,time)
BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --- Run the query using the following command. The Logparser Datagrid window will pop up with the results.
logparser.exe -recurse:-1 -i:IISW3C file:PerIPFailedLogins.sql
- Having identified the involved IP addresses, use the technique described in Investigating FailedLoginsPerIP to further research each IP address.