hunting-credential-stuffing-attacks

Solid

Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
84
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting Credential Stuffing Attacks ## When to Use - When investigating security incidents that require hunting credential stuffing attacks - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution. ```python import pandas as pd from collections import Counter # Load auth logs df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"]) # Credential stuffing indicator: many IPs trying few accounts ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique() accounts_under_attack = ip_per_account[ip_per_account > 50] ``` Key detection indicators: 1. High unique source IPs per failed username 2. Low success rate across many accounts (< 1%) 3. ASN concentration from cloud/proxy providers 4. Geographic impossibility (same account, distant locations) 5. User-agent uniformity across distributed IPs ## Examples ```python # Password spray: one password tried across many a...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-anomalous-authentication-patterns

Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, UEBA implementation, or suspicious sign-in investigation.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-unusual-network-connections

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-service-account-abuse

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

hunting-for-living-off-the-cloud-techniques

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-event-logs-in-splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

12,642 Updated today
mukul975