Managed Sentinel – Alert 079

Alert IDMS-A079
Alert NamePotential brute force attack against an IIS Web Server
DescriptionIdentifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could also simply indicate a misconfigured service or device. References: IIS status code mapping - https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0 Win32 Status code mapping - https://msdn.microsoft.com/en-us/library/cc231199.aspx.
Severity LevelMedium
Threat IndicatorCredential Access
MITRE ATT&CK TacticsCredential Access
Log sourcesWeb Traffic
False Positiverobots
Recommendations1. Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.
2. Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
3. If an public facing web site is experience this type of attack, try to block inbound traffic based on source IP address(es) initiating the attack.