-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the WebsiteFailedLogins wiki! Here you'll find more detailed information and content not included in README.md.
This PowerShell module was created to identify the following scenarios affecting IIS hosted websites.
- Brute Force Login Attempts - excessive failed logins from a single IP address and often targeting a single account.
- Password Spraying Attempts - excessive failed logins from a single IP address using a single password across multiple user accounts.
- Distributed Login Attempts - either of the above techniques being sourced from multiple IP addresses.
It leverages Microsoft Logparser and a configuration file to parse the target website's IIS logs. When a threshold is met or exceeded an alert is generated via standard out, email, and/or written to a Windows Event Log. No changes are needed on the webserver. This module can even run on a separate system where there's access to the IIS logs.
To be clear, this module serves as an Intrusion Detection System (IDS) where it only alerts when failed login attempts are found. For more information about how to do something with an alert see: Taking Action.
WebsiteFailedLogins will not work on websites/applications using a Single Sign-On (SSO) provider. This is because authentication happens against the SSO service before the authenticated user is redirected back to the website/application.
The following is a list of advantages and disadvantages when using WebsiteFailedLogins as a detection mechanism.
- No change to the request pipeline (i.e. web server (IIS), load balancer, etc.).
- Only read access to the IIS logs is required.
- All components leverage Microsoft technologies.
- Alert options include writing to Windows Event Log, SMTP, and standard out. Allowing easy integration into any environment.
- Alert data can be formatted in xml, json, or key/value text.
- Not realtime. Due to log drift and scheduling tasks, the shortest recommend reoccurrence is 5 minutes.
- Detection only. Taking action requires customization.
- Unconventional authentication methods require customization.
- Is not backed by a Machine Learning (ML), Artificial Intelligence (AI), or heuristics engine.