Skip to content

Investigate TotalFailedLogins

phbits edited this page Mar 8, 2021 · 3 revisions

When the TotalFailedLogins threshold has been met or exceeded, it can be an indicator of distributed brute force or distributed password spraying. The first step is to identify the IP addresses involved and their failed login count.

Depending on how thresholds are set, a single client IP address could also trigger this threshold creating a false-positive. Be sure to investigate before building automation around this setting.

Alert Raised

Suppose the following was identified by WebsiteFailedLogins.

TotalFailedLogins = 100
Sitename = W3SVC2
IISLogPath = D:\inetpub\logs\LogFiles\W3SVC2
Authentication = Windows
HttpResponse = 401
Start = 2019-01-01T18:30:00Z
End~ = 2019-01-01T19:00:10Z

Identify Involved Client IP(s)

  1. Update the following Logparser query with settings from the alert based on the authentication being used. Save it as PerIPFailedLogins.sql.
Windows or Basic Authentication
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM 'D:\inetpub\logs\LogFiles\W3SVC2\*'
WHERE s-sitename LIKE 'W3SVC2'
	AND sc-status = 401
	AND TO_TIMESTAMP(date,time)
		BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
		AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --
Forms Authentication
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM D:\inetpub\logs\LogFiles\W3SVC2\*
WHERE s-sitename LIKE 'W3SVC2'
	AND sc-status = 401
	AND cs-uri-stem LIKE '/login.aspx'
	AND cs-method LIKE 'POST'
	AND TO_TIMESTAMP(date,time)
		BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
		AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --
  1. Run the query using the following command. The Logparser Datagrid window will pop up with the results.
logparser.exe -recurse:-1 -i:IISW3C file:PerIPFailedLogins.sql
  1. Having identified the involved IP addresses, use the technique described in Investigating FailedLoginsPerIP to further research each IP address.

Clone this wiki locally