create procedure FindPosibleBruteForcePasswordAttempt_prc

as

create table #errorLog (
LogDate datetime,
ProcessInfo varchar(250),
[Text] varchar(8000)
)

insert into #errorLog (LogDate, ProcessInfo, [Text])
exec sp_readerrorlog 0, 1

select
replace(right([Text],charindex(‘ ‘, reverse([Text]))-1), ‘]’, ”) as IP,
substring([Text], charindex(””, [Text]) + 1, charindex(‘.’, [Text]) – charindex(””, [Text]) – 2 ) as [User],
count(LogDate) as [Number of login attempts],
min(LogDate) as [StartedAt],
max(LogDate) as [EndedAt],
datediff(minute, min(LogDate), max(LogDate)) as [IntervalInMinutes],
cast(cast(count(LogDate) as decimal(18,2))/isnull(nullif(datediff(minute, min(LogDate), max(LogDate)),0),1) as decimal(18,2)) as [AttemptsPerMinute]

from #errorLog

where

ProcessInfo = ‘Logon’
and [Text] like ‘Login failed for user%’
and datediff(hour, LogDate, getdate()) <= 24

group by
[Text]

having
count(LogDate) > 3 –filter users typing their passwords incorrectly

order by
[Number of login attempts] desc,
[EndedAt] desc

drop table #errorLog