- Home
- Correlation Rule Library
- Hydra detection
Detecting Hydra
Rule added on 30th April, 2024In this page
Rule type:
Correlation
Rule description:
Hydra is a password cracking tool to perform brute force attacks against network services. The tool is used by professional ethical hackers to test the strength of passwords and assess the security posture of organizations.
However, attackers may also attempt to use it to perform malicious actions such as credential compromise and laterally move within the network.
Impact:
It can be used by adversaries in the following ways:
- Brute force
- Credential compromise
- Data breach
- Lateral movement
Data source:
Windows:
Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Software
Criteria:
Command line contains "Hydra"
'Hydra'- Use of 'hydra' in command line may suggest that attackers are attempting a brute-force attack against the victim's network services such ass File Transfer Protocol (FTP), Server Message Block (SMB), Secure Shell (SSH)and more.
When to enable this rule:
Enabling this rule will help you meet the security standards' requirements listed below:
Security standards (NIST CSF 2.0):
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
When this rule is triggered, you're notified when Hydra is being used within the network. This enables you to stop the runtime activity and prevent attacker goals.
PR.PS-05: Installation and execution of unauthorized software are prevented
When this rule is triggered, you're notified when Hydra is being used within the network. This enables you to detect the use of unauthorized softwares within the network and prevent credential theft and other attacker goals.
Known false positives: The blue teams might use the tool to test the effectiveness of their defensive measures and incident response protocols.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify the alert as a new incident or within an ongoing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Strong Password Policy Enforcement: Ensure a strong password policy is adhered to across the organization.