cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Credential brute forcing signal illustration
Annotator cred

Credential brute forcing

Repeated authentication attempts consistent with password guessing or credential stuffing.

How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Authentication endpoints and repeated login attempts
  • Username-style parameters and automation-oriented auth clients
  • Auth failures, redirects, rate limits, and suspicious auth success paths
Logic
  • This annotator emits row-level auth primitives rather than whole-campaign conclusions.
  • It captures the pieces that later make brute-force and takeover patterns readable.
  • WordPress auth surfaces get a dedicated bump because they are such common targets.
How To Read It
Think of this as the authentication storyline: attempts, failures, throttles, and suspicious success clues.
Catalog Definition
Flags repeated login attempts and authentication workflows consistent with systematic credential guessing. Common indicators include high retry volume, repeated requests to login endpoints, high failure ratios, and tight timing between attempts. This is a behavioral classification; it does not claim success or identify the actor.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W13
Lookback
30 days
Total matched
1427476
Latest sample
Mar 01, 2026 • 23:59
Top rules
cred:auth_success · 4 cred:scripted_user_agent · 3 cred:auth_hit:login · 3
Top requester orgs
Apple Inc · 10
Severity mix
8 · 4 10 · 3 informational · 3
Method mix
GET · 10
GET 200 8
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/181.225.10.175/
Auth success (200) on auth endpoint
IP 17.22.245.238 Subnet 17.22.245.0/24 Org Apple Inc Country United States Rule cred:auth_success
GET 200 10
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/181.225.10.175/
Auth request appears to use an automation-oriented user agent
IP 17.22.245.238 Subnet 17.22.245.0/24 Org Apple Inc Country United States Rule cred:scripted_user_agent
GET 200 informational
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/181.225.10.175/
Auth endpoint request observed
IP 17.22.245.238 Subnet 17.22.245.0/24 Org Apple Inc Country United States Rule cred:auth_hit:login
GET 200 8
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/38.248.130.5/
Auth success (200) on auth endpoint
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:auth_success
GET 200 10
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/38.248.130.5/
Auth request appears to use an automation-oriented user agent
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:scripted_user_agent
GET 200 informational
Mar 01, 2026 • 23:59
/accounts/login/?next=/report_ipaddress/ip/38.248.130.5/
Auth endpoint request observed
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:auth_hit:login
GET 200 8
Mar 01, 2026 • 23:59
/accounts/login/?next=%2Freport_ipaddress%2Fip%2F154.255.16.203%2Fdrill%2F%3Fdays%3D1%26page_size%3D100
Auth success (200) on auth endpoint
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:auth_success
GET 200 10
Mar 01, 2026 • 23:59
/accounts/login/?next=%2Freport_ipaddress%2Fip%2F154.255.16.203%2Fdrill%2F%3Fdays%3D1%26page_size%3D100
Auth request appears to use an automation-oriented user agent
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:scripted_user_agent
GET 200 informational
Mar 01, 2026 • 23:59
/accounts/login/?next=%2Freport_ipaddress%2Fip%2F154.255.16.203%2Fdrill%2F%3Fdays%3D1%26page_size%3D100
Auth endpoint request observed
IP 17.246.15.79 Subnet 17.246.15.0/24 Org Apple Inc Country United States Rule cred:auth_hit:login
GET 200 8
Mar 01, 2026 • 23:59
/accounts/login/?next=%2Freport_ipaddress%2Fip%2F87.255.79.92%2Fdrill%2F%3Ftab%3Daccess
Auth success (200) on auth endpoint
IP 17.22.253.178 Subnet 17.22.253.0/24 Org Apple Inc Country United States Rule cred:auth_success