-
Notifications
You must be signed in to change notification settings - Fork 0
Investigate TotalFailedLogins
phbits edited this page Mar 8, 2021
·
3 revisions
When the TotalFailedLogins threshold has been met or exceeded, it can be an indicator of distributed brute force or distributed password spraying. The first step is to identify the IP addresses involved and their failed login count.
Depending on how thresholds are set, a single client IP address could also trigger this threshold creating a false-positive. Be sure to investigate before building automation around this setting.
Suppose the following was identified by WebsiteFailedLogins.
TotalFailedLogins = 100
Sitename = W3SVC2
IISLogPath = D:\inetpub\logs\LogFiles\W3SVC2
Authentication = Windows
HttpResponse = 401
Start = 2019-01-01T18:30:00Z
End~ = 2019-01-01T19:00:10Z- Update the following Logparser query with settings from the alert based on the authentication being used. Save it as
PerIPFailedLogins.sql.
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM 'D:\inetpub\logs\LogFiles\W3SVC2\*'
WHERE s-sitename LIKE 'W3SVC2'
AND sc-status = 401
AND TO_TIMESTAMP(date,time)
BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql ---- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM D:\inetpub\logs\LogFiles\W3SVC2\*
WHERE s-sitename LIKE 'W3SVC2'
AND sc-status = 401
AND cs-uri-stem LIKE '/login.aspx'
AND cs-method LIKE 'POST'
AND TO_TIMESTAMP(date,time)
BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --- Run the query using the following command. The Logparser Datagrid window will pop up with the results.
logparser.exe -recurse:-1 -i:IISW3C file:PerIPFailedLogins.sql
- Having identified the involved IP addresses, use the technique described in Investigating FailedLoginsPerIP to further research each IP address.