title: Hydra Password Guessing Hack Tool
ruletype: Sigma
author: Vasiliy Burov
date: 2020/10/05
description: Detects command line parameters used by Hydra password guessing hack
  tool
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*-u *'
  SELECTION_3:
    CommandLine: '*-p *'
  SELECTION_4:
    CommandLine:
    - '*^USER^*'
    - '*^PASS^*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Software that uses the caret encased keywords PASS and USER in its command line
id: aaafa146-074c-11eb-adc1-0242ac120002
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/11/27
references:
- https://github.com/vanhauser-thc/thc-hydra
- https://attack.mitre.org/techniques/T1110/001/
status: test
tags:
- attack.credential_access
- attack.t1110
- attack.t1110.001