WebsiteFailedLogins

2.0

WebsiteFailedLogins.psd1

                                 @{

RootModule = 'WebsiteFailedLogins.psm1'

ModuleVersion = '2.0'

GUID = '12e3c270-ef13-42bb-bea3-40b8cf44a49f'

Author = 'phbits'

CompanyName = 'phbits'

Description = @'

This PowerShell module was created to identify the following scenarios affecting IIS hosted websites.

1. Brute Force Login Attempts - excessive failed logins from a single IP address and often targeting a single account.

2. Password Spraying Attempts - excessive failed logins from a single IP address using a single password across multiple user accounts.

3. Distributed Login Attempts - either of the above techniques being sourced from multiple IP addresses.

It leverages Microsoft Logparser and a configuration file to parse the target website's IIS logs. When a threshold is met or exceeded an alert is generated via standard out, email, and/or written to a Windows Event Log. No changes are needed on the webserver. This module can even run on a separate system where there's access to the IIS logs.

Checkout the wiki for details: https://github.com/phbits/WebsiteFailedLogins/wiki

'@

NestedModules = @(

                    'Resources\WebsiteFailedLogins.alert.psm1',

                    'Resources\WebsiteFailedLogins.config.psm1',

                    'Resources\WebsiteFailedLogins.logins.psm1',

                    'Resources\WebsiteFailedLogins.lp.psm1'

                )

FunctionsToExport = @(

                        'Invoke-WebsiteFailedLogins',

                        'Get-WebsiteFailedLoginsReadme',

                        'Copy-WebsiteFailedLoginsReadme',

                        'Get-WebsiteFailedLoginsDefaultConfiguration',

                        'Copy-WebsiteFailedLoginsDefaultConfiguration'

                    )

FileList = @(

                'LICENSE',

                'README.md',

                'WebsiteFailedLogins.psd1',

                'WebsiteFailedLogins.psm1',

                'Resources\WebsiteFailedLogins_default.ini',

                'Resources\WebsiteFailedLogins.alert.psm1',

                'Resources\WebsiteFailedLogins.config.psm1',

                'Resources\WebsiteFailedLogins.logins.psm1',

                'Resources\WebsiteFailedLogins.lp.psm1'

            )

PrivateData = @{

    PSData = @{

        Tags = 'IIS','Logparser','W3SVC','Logs','FailedLogin','BruteForce','PasswordSpray','Detection','IDS'

        ProjectUri = 'https://github.com/phbits/WebsiteFailedLogins'

        LicenseUri = 'https://github.com/phbits/WebsiteFailedLogins/blob/main/LICENSE'

        ReleaseNotes = @'

## [2.0.0.0] - 2021-03-13

### Added

- WinEvent and Smtp alert data can now be formatted in text, json, or xml.

- FriendlyName setting available in configuration ini to better describe website.

- Added configuration validation checks.

- Detailed documentation at: https://github.com/phbits/WebsiteFailedLogins/wiki

### Changed

- Performs just one Logparser query when launching Invoke-WebsiteFailedLogins.

- Returned data is a hashtable object.

- Placed related functions into separate module files.

- Improved configuration validation.

- Improved Alert logic.

- System.Diagnostics.Process wrapper runs Logparser script.

- Standardized all timestamps to UTC.

- Updated function documentation and README.

### Removed

- Usage of global variables for sharing configuration settings.

## [1.0.0.0] - 2019-01-30

### Changed

- Initial release

    - Tested on Windows Server 2016

'@

    } # End of PSData hashtable

} # End of PrivateData hashtable

HelpInfoURI = 'https://github.com/phbits/WebsiteFailedLogins/wiki'

}