Credential Combolist / Stealer-Log Line
Detects credential combolist / infostealer-log lines: email:password pairs and host-or-url:user:pass triples, the format in which stolen credentials are aggregated and traded after info-stealer infections. These dumps fuel credential stuffing and account-takeover attacks.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: the email:password and host:user:pass structures are distinctive for credential dumps, but a colon-delimited token can also appear in URLs, config files and timestamps, so corroborating context is needed for high assurance.
- Jurisdictions
- global
- Regulations
- GDPR
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![\w.+-])[\w.+-]+@[\w-]+(?:\.[\w-]+)+:[^\s:]{4,}|(?:https?://)?(?:[\w-]+\.)+[a-z]{2,}(?::\d{2,5})?(?:/\S*)?:[\w.@-]{2,}:[^\s:]{4,}Corroborative evidence keywords
combolist, combo list, stealer log, infostealer, credential dump, leaked passwords, logins, account takeover
Proximity: 300 characters
Should match
john.doe@example.com:Hunter2Pass— email:password combolist line with fake credentialsadmin@mail.test:P@ssw0rd!— email:password with symbols in the fake passwordhttps://portal.example.org/login:jdoe:S3cretValue— url:user:pass stealer-log triple with fake credentials
Should not match
john.doe@example.com— Email address alone, no colon-delimited passwordnote to self: rotate the leaked passwords tomorrow— Prose containing a label and a keyword but no credential pairtime is 12:30 and the meeting is set— Colon-delimited time/text, not a credential pair
Known false positives
- URLs with embedded ports (host:port) or key/value config lines that resemble a credential pair. Mitigation: Require corroborative combolist/stealer keywords and prefer lines that appear in bulk (many similar lines) before alerting.