security analyst security skill risk: medium

Credential Stuffing Auth Log Analyzer

Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution, with provided P…

Policy sensitive
Human review

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: hunting-credential-stuffing-attacks
description: "Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity,"
---
# Hunting Credential Stuffing Attacks


## When to Use

- When investigating security incidents that require hunting credential stuffing attacks
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Analyze authentication logs to detect credential stuffing by identifying patterns
of distributed login failures, high IP diversity, and suspicious ASN distribution.

```python
import pandas as pd
from collections import Counter

# Load auth logs
df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"])

# Credential stuffing indicator: many IPs trying few accounts
ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique()
accounts_under_attack = ip_per_account[ip_per_account > 50]
```

Key detection indicators:
1. High unique source IPs per failed username
2. Low success rate across many accounts (< 1%)
3. ASN concentration from cloud/proxy providers
4. Geographic impossibility (same account, distant locations)
5. User-agent uniformity across distributed IPs

## Examples

```python
# Password spray: one password tried across many accounts
spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg(
    accounts=("username", "nunique")).reset_index()
sprays = spray[spray["accounts"] > 10]
```

REQUIRED CONTEXT

authentication logs in CSV format

EXPECTED OUTPUT

Format

markdown

Constraints

include Python code snippets
list key detection indicators

EXAMPLES

Includes two Python code examples for detecting credential stuffing (IP-per-account grouping) and password spraying (IP+password aggregation).

CAVEATS

Dependencies

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Missing context

Exact log schema / column definitions beyond the four columns referenced in code
Desired output format or report structure for the analysis results

Ambiguities

Description field is truncated mid-sentence after "ASN diversity,"

QUALITY

OVERALL: 0.70
CLARITY: 0.75
SPECIFICITY: 0.65
REUSABILITY: 0.80
COMPLETENESS: 0.60

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence
Add explicit success criteria or output schema for the detection results
Provide the full working script instead of isolated code fragments

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.