locked
Detecting brute force logins & password spraying RRS feed

  • Question

  • User1498112871 posted

    What programs/scripts/techniques/etc. are used to detect the following on an IIS website.

    1. Brute Force Logins
    2. Password Spraying
    3. The above techniques from distributed IP addresses

    SIEM and Enterprise log management platforms have this ability. However, many cannot tap into this upper echelon technology. I'd like this thread to be a resource for those looking to protect their website from these techniques.

    Full disclosure, I built a PowerShell module to specifically address this as I wasn't able to find a suitable solution. Hopefully, folks will chime in with their own solutions. I'll respond later with details about the solution I built.

    Thursday, March 25, 2021 7:41 PM

Answers

  • User1065476709 posted

    Hi phbits,

    phbits

    What programs/scripts/techniques/etc. are used to detect the following on an IIS website.

    1. Brute Force Logins
    2. Password Spraying
    3. The above techniques from distributed IP addresses

    WebsiteFailedLogins is a PowerShell module available on GitHub and PowerShell Gallery which addresses these concerns.

    The README has detailed information though here's a brief overview:

    • Only requires access to the IIS logs and can run from an entirely different system. No changes are needed to IIS.
    • Uses Microsoft Logparser to parse the IIS logs (required prerequisite).
    • Identifies failed logins based on the HTTP response code.
    • Configured via an .INI file allowing different configurations for each website.
    • Alerts generated via: Standard Out, Email, and/or Event Log
    • Automated via Scheduled Tasks

    Best regards,

    Sam

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, March 26, 2021 1:57 AM