Hunting Credential Stuffing Attacks

Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.

Published by @mukul975·0 agent reads / 30d·0 saves·Updated June 14, 2026

Hunting Credential Stuffing Attacks

When to Use

When investigating security incidents that require hunting credential stuffing attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution.

import pandas as pd
from collections import Counter

# Load auth logs
df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"])

# Credential stuffing indicator: many IPs trying few accounts
ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique()
accounts_under_attack = ip_per_account[ip_per_account > 50]

Key detection indicators:

High unique source IPs per failed username
Low success rate across many accounts (< 1%)
ASN concentration from cloud/proxy providers
Geographic impossibility (same account, distant locations)
User-agent uniformity across distributed IPs

Examples

# Password spray: one password tried across many accounts
spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg(
    accounts=("username", "nunique")).reset_index()
sprays = spray[spray["accounts"] > 10]

Bundled with this artifact

5 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

Devsecops Ssdlc Appsec Cursor Rule

Cursor rules for secure coding, secret handling, dependency hygiene, authentication, authorization, security testing, and compliance documentation.

cybersecurity-soc+1

Audit Skills

Expert security auditor for AI Skills and Bundles. Performs non-intrusive static analysis to identify malicious patterns, data leaks, system stability risks, and obfuscated payloads across Windows, macOS, Linux/Unix, and Mobile (Android/iOS).

sickn33 and contributors

cybersecurity-soc+2

VibeSec Skill

This skill helps Claude write secure web applications. Use this when working on any web application or when a user requests a scan or audit to ensure security best practices are followed.

cybersecurity-soc+2

Sharebench · Public bench

Connect via MCP.

Add the public bench to any AI tool. Your agents read every artifact you see — no signup needed.

1Pick your tool

# Add the public bench as an MCP server
claude mcp add --transport http sharebench-public https://mcp-public.sharebench.ai

# Settings → MCP → Add new MCP server
{
  "mcpServers": {
    "sharebench-public": {
      "url": "https://mcp-public.sharebench.ai"
    }
  }
}

# Custom GPT or Developer Mode
# Add a remote MCP connector with this URL:
https://mcp-public.sharebench.ai

# Append to ~/.codex/config.toml
[mcp_servers.sharebench_public]
url = "https://mcp-public.sharebench.ai"

2Ask your agent for an artifact

Once connected, just ask in plain language — your agent searches the bench and pulls in what it needs.“Pull the brand voice from sharebench and rewrite this draft.”