Using ForwardedIpAddress in REGEX matches to block authentication attempts RRS feed

  • Question

  • Hi,

    I've been having a number of account lockouts originating from our ADFS server. I've followed the guidance on setting verbose logging and wrote a very quick and dirty script to parse the log - https://gallery.technet.microsoft.com/scriptcenter/ADFS-3-find-failed-logins-3d3dc5fe 

    On reviewing the logs I can see all the attempts are originating from various ip ranges China - a brute force attack across multiple accounts :(

    TimeStamp          : 16/05/2018 11:13:17
    IPaddress            :
    ForwardedIpAddress :
    UserId             : #############
    ActivityID         : 00000000-0000-0000-0000-000000000000
    Server             : http://################/adfs/services/trust
    FailureType        : CredentialValidationError
    AuditType          : FreshCredentials

    I've configured AD FS Extranet Lockout Protection but they appear to have adjusted the timing for the attempts as to not trigger it, I then tried Azure AD Conditional Access but have since found this only applies after Office 365 authentication so will not block the attempts of this brute force attack - only access once they succeed :(

    I then created a Access Control Rule to try and block the ip ranges from the Forwarded IP within the claim.

    This is where I've having problems, I though I had a rule which was blocking some attempts but a recent change didn't stop the most recent attack so have simplified the rule for testing and found a simple rule with only 3 addresses isn't working.

    I've created a Access Control Policy rule to  permit everyone except with Forwarded Client IP -  REGEX matches 0 and a claim value of||

    Has anyone change any success in using this technique? I do hope so ... I hope to convert all the China IP blocks into a RegEx expression but there's quite a lot of them!

    Wednesday, May 16, 2018 10:30 AM

All replies

  • Would really appreciate a steer on this as my working on a RegEx for all China ip's has so far hit a 200,000+ character long expression!

    I've coded up the below to add ip's to the rule but the hackers simply hop to another address

    function Get-IPGeolocation
        $request = Invoke-RestMethod -Method Get -Uri "http://geoip.nekudo.com/api/$IPAddress"
            IP        = $request.IP
            City      = $request.City
            Country   = $request.Country.Name
            Code      = $request.Country.Code
            Location  = $request.Location.Latitude
            Longitude = $request.Location.Longitude
            TimeZone  = $request.Location.Time_zone
    $events = Get-WinEvent -FilterHashtable @{Logname='Security';Id=1203}
    $events2 = ($events | select Message,TimeCreated -ExpandProperty Message)
    $info = @()
    $events2 | foreach {
        $IpAddresses = ((($_.Message.Split('<') | Select-String "IpAddress"))[0].tostring()).substring(10)
        $ForwardedIpAddress = (($_.Message.Split('<') | Select-String "ForwardedIpAddress")[0].tostring()).substring(19).Trim()
        $UserId = ($_.Message.Split('<') | Select-String "Userid>")[0].tostring().substring(7).Trim()
            $ActivityIDstart = (($_.Message.Split('<') | Select-String "Activity ID:").tostring().indexof("Activity ID:"))                                                                                     
            $ActivityIDend = (($_.Message.Split('<') | Select-String "Activity ID:").tostring().indexof("Additional Data"))        
        $ActivityIDlength = $ActivityIDend - $ActivityIDstart 
        $ActivityID = (($_.Message.Split('<') | Select-String "Activity ID:").tostring().substring($ActivityIDstart,$ActivityIDlength)).Trim().Replace("Activity ID: ","")
        $Server = ($_.Message.Split('<') | Select-String "Server")[0].tostring().substring(7).Trim()
        $FailureType = ($_.Message.Split('<') | Select-String "FailureType")[0].tostring().substring(12).Trim()
        $AuditType = ($_.Message.Split('<') | Select-String "AuditType")[0].tostring().substring(10).Trim()
    $Fail = New-object -TypeName PSObject
    add-member -inputobject $Fail -membertype noteproperty -name "TimeStamp" -value $_.TimeCreated
    add-member -inputobject $Fail -membertype noteproperty -name "IPaddress" -value $IpAddresses
    add-member -inputobject $Fail -membertype noteproperty -name "ForwardedIpAddress" -value $ForwardedIpAddress
    $Geo = Get-IPGeolocation $ForwardedIpAddress
    add-member -inputobject $Fail -membertype noteproperty -name "Geolocation" -value $Geo.Country
    add-member -inputobject $Fail -membertype noteproperty -name "UserId" -value $UserId
    add-member -inputobject $Fail -membertype noteproperty -name "ActivityID" -value $ActivityID
    add-member -inputobject $Fail -membertype noteproperty -name "Server" -value $Server
    add-member -inputobject $Fail -membertype noteproperty -name "FailureType" -value $FailureType
    add-member -inputobject $Fail -membertype noteproperty -name "AuditType" -value $AuditType
    $info +=$Fail
    $ips = $info | Where-Object {$_.Geolocation -eq 'China' -or $_.Geolocation -eq 'Indonesia' -or $_.Geolocation -eq 'Brazil' -or $_.Geolocation -eq 'Republic of Korea' -or $_.Geolocation -eq 'Philippines' -or $_.Geolocation -eq 'Russia'} | Select-Object ForwardedIpAddress
    $ippolicy = (((Get-AdfsAccessControlPolicy -Name "Block certain IP addresses").PolicyMetadata.summary).tostring()).substring(208)
    $ippolicy = $ippolicy.substring(0,$ippolicy.length-19)
    $iplist = $ippolicy.Split('|')
    $info | Sort-Object TimeStamp
    ForEach ($ip in $ips)
        If ($iplist | Where-Object {$_ -eq $ip.ForwardedIpAddress})
            #"$($ip.ForwardedIpAddress) already blocked"
            "$($ip.ForwardedIpAddress) being added to the blocked list"
            $iplist += $ip.ForwardedIpAddress
    $newippolicy = [string]::join("|", $iplist)
    If ($newippolicy.Length -ne $ippolicy.Length)
        !"Updating policy"
        $newobj = (Get-AdfsAccessControlPolicy -Name "Block certain IP addresses").PolicyMetadata
        Set-AdfsAccessControlPolicy -targetname "Block certain IP addresses" -PolicyMetadata ($newobj.Serialized.Replace($ippolicy,$newippolicy))

    Monday, May 21, 2018 3:04 PM