HackTool - Hydra Password Bruteforce Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the execution of the Hydra password guessing tool based on command-line parameters that indicate brute-force password attacks.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Credential Access → Lateral Movement
Impact
Account compromise due to guessed or brute-forced passwords, enabling unauthorized access and lateral movement.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller with domain admin rights.
- Open Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
- Create a new GPO or edit an existing one linked to the required OU.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking- Enable Audit Process Creation (select "Configure the following audit events" and check Success)
- Enable Audit Process Termination (same as above)
- To log command-line details:
Go to: Computer Configuration → Administrative Templates → System → Audit Process Creation- Enable Include command line in process creation events
- Ensure the following registry key exists:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals.
- Open Command Prompt as Administrator.
- Install Sysmon using a configuration file that includes process creation monitoring. Example configuration should contain:
- A rule to log all process creation events (e.g., ProcessCreate with onmatch="exclude" to log everything).
- Ensure the following registry key exists:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational\
Criteria
Action1: actionname = "Process started" AND (COMMANDLINE contains "-u " AND COMMANDLINE contains "-p ") AND COMMANDLINE contains "^USER^,^PASS^" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1110 – Brute Force
T1110.001 – Password Guessing
Security Standards
Implementation of account lockout policies, multi-factor authentication, strong password policies compliant with NIST guidelines, and user account management best practices.
Author
Vasiliy Burov
Future actions
Known False Positives
Software that uses caret-encased keywords such as PASS and USER in command lines may cause false detections.
Next Steps
- Investigate occurrences of Hydra tool executions for unauthorized activity
- Enforce and tune account lockout and conditional access policies
- Deploy multi-factor authentication and strong password policies
- Monitor authentication logs for brute-force patterns
- Provide user training on password security and attack awareness
Mitigation
Mitigation ID | Name | Description |
M1036 | Account Use Policies | Set account lockout policies after a defined number of failed login attempts to prevent brute force password guessing attacks. |
M1032 | Multi-factor Authentication | Require multi-factor authentication on all accounts and externally facing services to reduce the risk of credential compromise. |
M1027 | Password Policies | Follow NIST guidelines for strong password policies, including complexity, length, and uniqueness to hinder brute force attacks. |
M1018 | User Account Management | Proactively reset accounts known to have breached credentials or after detecting brute force attempts to minimize impact. |
M1051 | Update Software | Keep authentication and management services up to date to incorporate latest security features and policy enforcement capabilities. |
