Detects credential stuffing attacks in auth logs via login rate anomalies, ASN/IP diversity, password spray patterns, and failed login geo distributions using Python/pandas on Splunk/raw data. For account takeover hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
分析认证日志,通过识别分布式登录失败、高 IP 多样性和可疑 ASN 分布等模式,检测凭据填充(credential stuffing)攻击。
Detects credential stuffing attacks in auth logs using Python/pandas for IP diversity, login velocity anomalies, password sprays, and geo distribution. For threat hunting or building detection rules.
Detects credential stuffing attacks in auth logs using Python/pandas to analyze IP diversity, login velocity, password sprays, ASN, and geo patterns. For threat hunting and detection rules.
Detects anomalous authentication patterns using UEBA, statistical baselines, and ML models to identify impossible travel, brute force, credential stuffing, password spraying, and account takeovers from auth logs like Azure AD and Okta.
Share bugs, ideas, or general feedback.
分析认证日志,通过识别分布式登录失败、高 IP 多样性和可疑 ASN 分布等模式,检测凭据填充(credential stuffing)攻击。
import pandas as pd
from collections import Counter
# 加载认证日志
df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"])
# 凭据填充指标:多个 IP 尝试少数账户
ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique()
accounts_under_attack = ip_per_account[ip_per_account > 50]
关键检测指标:
# 密码喷洒:一个密码尝试多个账户
spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg(
accounts=("username", "nunique")).reset_index()
sprays = spray[spray["accounts"] > 10]