Skill

hunting-credential-stuffing-attacks

From asi

Detects credential stuffing attacks in auth logs using Python/pandas for IP diversity, login velocity anomalies, password sprays, and geo distribution. For threat hunting or building detection rules.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require hunting credential stuffing attacks

SKILL.md

Similar Skills

hunting-credential-stuffing-attacks

5.9k

Detects credential stuffing attacks in auth logs using Python/pandas to analyze IP diversity, login velocity, password sprays, ASN, and geo patterns. For threat hunting and detection rules.

3 files

cybersecurity-skills

hunting-credential-stuffing-attacks

Detects credential stuffing attacks in auth logs via login rate anomalies, ASN/IP diversity, password spray patterns, and failed login geo distributions using Python/pandas on Splunk/raw data. For account takeover hunting.

3 files

cybersecurity-skills-zh

detecting-anomalous-authentication-patterns

Detects anomalous authentication patterns in logs using UEBA analytics, statistical baselines, and ML models to identify impossible travel, brute force, credential stuffing, password spraying, and compromised accounts. For security analysis of login behaviors.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hunting Credential Stuffing Attacks

When to Use

When investigating security incidents that require hunting credential stuffing attacks

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution.

import pandas as pd from collections import Counter # Load auth logs df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"]) # Credential stuffing indicator: many IPs trying few accounts ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique() accounts_under_attack = ip_per_account[ip_per_account > 50]

Key detection indicators:

High unique source IPs per failed username

Low success rate across many accounts (< 1%)

ASN concentration from cloud/proxy providers

Geographic impossibility (same account, distant locations)

User-agent uniformity across distributed IPs

Examples

# Password spray: one password tried across many accounts spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg( accounts=("username", "nunique")).reset_index() sprays = spray[spray["accounts"] > 10]