Skill v1.0.1

currentAutomated scan100/100

mukul975/anthropic-cybersecurity-skills/hunting-credential-stuffing-attacks

+3 new

──Details

PublishedJune 8, 2026 at 03:34 PM

Content Hashsha256:d7a5f326544259f7...

Git SHA04450304b126

Bump Typepatch

Compare with v1.0.0

──Files

Files (1 file, 2.4 KB)

SKILL.md2.4 KBactive

SKILL.md · 84 lines · 2.4 KB

name: hunting-credential-stuffing-attacks description: 'Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.

' domain: cybersecurity subdomain: security-operations tags:

credential-stuffing
authentication-logs
login-anomaly
asn-analysis
threat-hunting
account-takeover

version: '1.0' author: mahipal license: Apache-2.0 nist_csf:

DE.CM-01
RS.MA-01
GV.OV-01
DE.AE-02

mitre_attack:

T1078
T1190
T1059
T1003
T1110

Hunting Credential Stuffing Attacks

When to Use

When investigating security incidents that require hunting credential stuffing attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution.

python

import pandas as pd
from collections import Counter
# Load auth logs
df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"])
# Credential stuffing indicator: many IPs trying few accounts
ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique()
accounts_under_attack = ip_per_account[ip_per_account > 50]

Key detection indicators:

High unique source IPs per failed username
Low success rate across many accounts (< 1%)
ASN concentration from cloud/proxy providers
Geographic impossibility (same account, distant locations)
User-agent uniformity across distributed IPs

Examples

python

# Password spray: one password tried across many accounts
spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg(
    accounts=("username", "nunique")).reset_index()
sprays = spray[spray["accounts"] > 10]

← v1.0.0 All versions