cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Credential brute forcing signal illustration
Annotator cred

Credential brute forcing

Repeated authentication attempts consistent with password guessing or credential stuffing.

Attack family · Credential stuffing, brute force, and account takeover Phase · Initial access Risk · High
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Authentication endpoints and repeated login attempts
  • Username-style parameters and automation-oriented auth clients
  • Auth failures, redirects, rate limits, and suspicious auth success paths
Logic
  • This annotator emits row-level auth primitives rather than whole-campaign conclusions.
  • It captures the pieces that later make brute-force and takeover patterns readable.
  • WordPress auth surfaces get a dedicated bump because they are such common targets.
Attack Family
Credential stuffing, brute force, and account takeover
Phase · Initial access Risk · High
Auth traffic is where low-tech attacks still do high-end damage. Repeated login attempts can turn password reuse, weak MFA posture, or thin throttling into a real foothold.
Damage Patterns
  • Successful credential attacks lead to fraud, privilege abuse, data theft, and persistent access through legitimate accounts.
  • Even failed campaigns create operational drag, user lockouts, and trust erosion.
Incident Lore
  • Many fraud waves and enterprise intrusions began with nothing more exotic than repeated logins against an exposed auth surface.
  • The worst damage often comes from reused credentials and weak recovery flows rather than from a software vulnerability.
How To Read It
Think of this as the authentication storyline: attempts, failures, throttles, and suspicious success clues.
Defender Takeaway
Read this as pressure on the identity layer. The attacker is testing whether people or policy are the softer target than code.
Catalog Definition
Flags repeated login attempts and authentication workflows consistent with systematic credential guessing. Common indicators include high retry volume, repeated requests to login endpoints, high failure ratios, and tight timing between attempts. This is a behavioral classification; it does not claim success or identify the actor.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
13485
Latest sample
Apr 13, 2026 • 00:18
Top rules
cred:scripted_user_agent · 4 cred:auth_hit:login · 4 cred:auth_success · 2
Top requester orgs
Tencent Cloud Computing · 3 Censys, Inc. · 2 Techoff SRV Limited · 2
Severity mix
10 · 4 informational · 4 8 · 2
Method mix
GET · 10
GET 404 10
Apr 13, 2026 • 00:18
/login
Auth request appears to use an automation-oriented user agent
IP 167.94.146.48 Subnet 167.94.146.0/24 Org Censys, Inc. Country Germany Rule cred:scripted_user_agent
GET 404 informational
Apr 13, 2026 • 00:18
/login
Auth endpoint request observed
IP 167.94.146.48 Subnet 167.94.146.0/24 Org Censys, Inc. Country Germany Rule cred:auth_hit:login
GET 200 8
Apr 12, 2026 • 21:26
/godai/login/?next=%2Fgodai%2F
Auth success (200) on auth endpoint
IP 43.135.115.233 Subnet 43.135.115.0/24 Org Tencent Cloud Computing Country Hong Kong Rule cred:auth_success
GET 200 10
Apr 12, 2026 • 21:26
/godai/login/?next=%2Fgodai%2F
Auth request appears to use an automation-oriented user agent
IP 43.135.115.233 Subnet 43.135.115.0/24 Org Tencent Cloud Computing Country Hong Kong Rule cred:scripted_user_agent
GET 200 informational
Apr 12, 2026 • 21:26
/godai/login/?next=%2Fgodai%2F
Auth endpoint request observed
IP 43.135.115.233 Subnet 43.135.115.0/24 Org Tencent Cloud Computing Country Hong Kong Rule cred:auth_hit:login
GET 200 8
Apr 12, 2026 • 21:06
/godai/login/?next=%2Fgodai%2Faccess%2F%3Fbrowse_scope%3Dcity%26country%3DUnited%2BStates%26region%3DVirginia%26city%3D…
Auth success (200) on auth endpoint
IP 43.166.244.192 Subnet 43.166.244.0/24 Country United States Rule cred:auth_success
GET 200 10
Apr 12, 2026 • 21:06
/godai/login/?next=%2Fgodai%2Faccess%2F%3Fbrowse_scope%3Dcity%26country%3DUnited%2BStates%26region%3DVirginia%26city%3D…
Auth request appears to use an automation-oriented user agent
IP 43.166.244.192 Subnet 43.166.244.0/24 Country United States Rule cred:scripted_user_agent
GET 200 informational
Apr 12, 2026 • 21:06
/godai/login/?next=%2Fgodai%2Faccess%2F%3Fbrowse_scope%3Dcity%26country%3DUnited%2BStates%26region%3DVirginia%26city%3D…
Auth endpoint request observed
IP 43.166.244.192 Subnet 43.166.244.0/24 Country United States Rule cred:auth_hit:login
GET 404 10
Apr 12, 2026 • 19:13
/login
Auth request appears to use an automation-oriented user agent
IP 93.123.109.222 Subnet 93.123.109.0/24 Org Techoff SRV Limited Country Andorra Rule cred:scripted_user_agent
GET 404 informational
Apr 12, 2026 • 19:13
/login
Auth endpoint request observed
IP 93.123.109.222 Subnet 93.123.109.0/24 Org Techoff SRV Limited Country Andorra Rule cred:auth_hit:login