We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Detecting brute force logins & password sprayingRSS

1 reply

Last post Mar 26, 2021 01:57 AM by samwu

  • Detecting brute force logins & password spraying

    Mar 25, 2021 07:41 PM|phbits|LINK

    What programs/scripts/techniques/etc. are used to detect the following on an IIS website.

    1. Brute Force Logins
    2. Password Spraying
    3. The above techniques from distributed IP addresses

    SIEM and Enterprise log management platforms have this ability. However, many cannot tap into this upper echelon technology. I'd like this thread to be a resource for those looking to protect their website from these techniques.

    Full disclosure, I built a PowerShell module to specifically address this as I wasn't able to find a suitable solution. Hopefully, folks will chime in with their own solutions. I'll respond later with details about the solution I built.

  • Re: Detecting brute force logins & password spraying

    Mar 26, 2021 01:57 AM|samwu|LINK

    Hi phbits,

    phbits

    What programs/scripts/techniques/etc. are used to detect the following on an IIS website.

    1. Brute Force Logins
    2. Password Spraying
    3. The above techniques from distributed IP addresses

    WebsiteFailedLogins is a PowerShell module available on GitHub and PowerShell Gallery which addresses these concerns.

    The README has detailed information though here's a brief overview:

    • Only requires access to the IIS logs and can run from an entirely different system. No changes are needed to IIS.
    • Uses Microsoft Logparser to parse the IIS logs (required prerequisite).
    • Identifies failed logins based on the HTTP response code.
    • Configured via an .INI file allowing different configurations for each website.
    • Alerts generated via: Standard Out, Email, and/or Event Log
    • Automated via Scheduled Tasks

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >