Guides
πŸ”‘ GET YOUR FREE API KEYπŸ€– AI Assistant
Start typing to search…

Credential Schema

Every credential presented in Cavalier was stolen directly from the browsers of victims who had a stealer type malware executed on their machine. These malware are spread by tricking a victim into downloading a malicious file through various methods. The attacks are usually performed by threat actors in global opportunistic campaigns, with little discretion, so employees in companies that aren't directly targeted often have their corporate credentials stolen.

How do we differentiate between compromised employees and compromised users?

Hudson Rock employs advanced logic to distinguish between an organization's compromised employees and end-users.

  • Credentials containing a corporate email address (e.g., @tesla.com) used to access a company-owned domain (e.g., tesla.com) are classified as belonging to an employee.
  • In contrast, credentials with a public email domain (e.g., @gmail.com) accessing the same company domain are categorized as end-users.

Additionally, domain infrastructure helps further refine this classification. For example, usernames associated with login portals such as citrix.tesla.com, tesla.com/vpn/login, or webmail.tesla.com indicate employee accounts.

Data Fields

KEYDATA TYPEOPTIONSDESCRIPTION
typestringemployee user third_partyIndicates whether the credentials found are corporate (of an employee) or not (of a user). In some cases when domains are specified, the third_party type will be available as well.
urlstringanyThe URL the victim entered credentials into.
domainstringanyOnly the domain without any additions.
usernamestringanyThe login entered by the victim.
passwordstringanyThe password entered by the victim.

Employee Credential

{
  "credentials": [
    {
      "type": "employee",
      "url": "https://webmail.example.com/login.aspx",
      "domain": "example.com",
      "username": "[email protected]",
      "password": "abc102030"
    }
  ]
}

User Credential

{
  "credentials": [
    {
      "type": "user",
      "url": "https://example.com/login",
      "domain": "example.com",
      "username": "[email protected]",
      "password": "abc102030"
    }
  ]
}

Third Party Credential

πŸ“˜

Third party credentials are defined in the context of the specified domains in your query.

{
  "credentials": [
    {
      "type": "third_party", // if example.com is one of the queried domains
      "url": "https://salesforce.com/login",
      "domain": "salesforce.com",
      "username": "[email protected]",
      "password": "abc102030"
    }
  ]
}

Updated 19 days ago