Skip to content

Investigate TotalFailedLogins

phbits edited this page Mar 8, 2021 · 3 revisions

When the total number of failed logins are unusually high, this can be an indicator of distributed brute force or distributed password spraying. The first step is to identify the IP addresses involved and their failed login count.

Alert Raised

Suppose the following was identified by WebsiteFailedLogins.

TotalFailedLogins = 100
Sitename = W3SVC2
IISLogPath = D:\inetpub\logs\LogFiles\W3SVC2
Authentication = Windows
HttpResponse = 401
Start = 2019-01-01T18:30:00Z
End~ = 2019-01-01T19:00:10Z

Identify Involved Client IP(s)

  1. Update the following Logparser query with settings from the alert based on the authentication being used. Save it as PerIPFailedLogins.sql.
Windows or Basic Authentication
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM 'D:\inetpub\logs\LogFiles\W3SVC2\*'
WHERE s-sitename LIKE 'W3SVC2'
	AND sc-status = 401
	AND TO_TIMESTAMP(date,time)
		BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
		AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --
Forms Authentication
-- Start PerIPFailedLogins.sql --
SELECT DISTINCT c-ip as ClientIP, Count(*) AS FailedLoginCount
INTO DATAGRID
FROM D:\inetpub\logs\LogFiles\W3SVC2\*
WHERE s-sitename LIKE 'W3SVC2'
	AND sc-status = 401
	AND cs-uri-stem LIKE '/login.aspx'
	AND cs-method LIKE 'POST'
	AND TO_TIMESTAMP(date,time)
		BETWEEN TIMESTAMP('2019-01-01 18:30:00', 'yyyy-MM-dd HH:mm:ss')
		AND TIMESTAMP('2019-01-01 19:00:10', 'yyyy-MM-dd HH:mm:ss')
GROUP BY ClientIP
ORDER BY FailedLoginCount DESC
-- End PerIPFailedLogins.sql --
  1. Run the query using the following command. The Logparser Datagrid window should pop up with the results.
logparser.exe -recurse:-1 -i:IISW3C file:PerIPFailedLogins.sql
  1. Having identified the involved IP addresses, use the above technique for 'Per IP Entries' to review requests from each Client IP address.

Clone this wiki locally