Create win_hack_hydra.yml

2020-10-05 23:05:27 +03:00
parent c56cd2dfff
commit df704ba4fb
1 changed files with 95 additions and 0 deletions
@@ -0,0 +1,95 @@
+title: Hydra Password Guessing Hack Tool
+description: Detects command line parameters used by Hydra password guessing hack tool
+author: Vasiliy Burov
+references:
+    - https://github.com/vanhauser-thc/thc-hydra
+	  - https://attack.mitre.org/techniques/T1110/001/
+date: 2020/10/05
+tags:
+    - attack.credential_access
+	  - attack.t1110
+    - attack.t1110.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1: 
+        Image|contains: 
+            - '\hydra.exe'
+    selection2:
+        CommandLine|contains: 
+            - ' http-head://'
+			      - ' http-get://'
+			      - ' http-post://'
+			      - ' https-head://'
+			      - ' https-get://'
+			      - ' https-post://'
+			      - ' http-head-form://'
+			      - ' http-get-form://'
+			      - ' http-post-form://'
+			      - ' https-head-form://'
+			      - ' https-get-form://'
+			      - ' https-post-form://'
+			      - ' ssh://'
+			      - ' http-proxy-urlenum://'
+			      - ' http-proxy://'
+			      - ' pop3://'
+			      - ' adam6500://'
+			      - ' asterisk://'
+			      - ' cisco://'
+			      - ' cisco-enable://'
+			      - ' cvs://'
+			      - ' firebird://'
+			      - ' ftp://'
+			      - ' ftps://'
+			      - ' icq://'
+			      - ' imap://'
+			      - ' imaps://'
+			      - ' irc://'
+			      - ' ldap2://'
+			      - ' ldap2s://'
+			      - ' ldap3://'
+			      - ' ldap3s://'
+			      - ' ldap3-crammd5://'
+			      - ' ldap3-crammd5s://'
+			      - ' ldap3-digestmd5://'
+			      - ' ldap3-digestmd5s://'
+			      - ' memcached://'
+			      - ' mongodb://'
+			      - ' mssql://'
+			      - ' mysql://'
+			      - ' nntp://'
+			      - ' oracle-listener://'
+			      - ' oracle-sid://'
+			      - ' pcanywhere://'
+			      - ' pcnfs://'
+			      - ' pop3s://'
+			      - ' postgres://'
+			      - ' radmin2://'
+			      - ' rdp://'
+			      - ' redis://'
+			      - ' rexec://'
+			      - ' rlogin://'
+			      - ' rpcap://'
+			      - ' rsh://'
+			      - ' rtsp://'
+			      - ' s7-300://'
+			      - ' sip://'
+			      - ' smb://'
+			      - ' smtp://'
+			      - ' smtps://'
+			      - ' smtp-enum://'
+			      - ' snmp://'
+			      - ' socks5://'
+			      - ' sshkey://'
+			      - ' svn://'
+			      - ' teamspeak://'
+			      - ' telnet://'
+			      - ' telnets://'
+			      - ' vmauthd://'
+			      - ' vnc://'
+			      - ' xmpp://'
+    condition: selection1 or selection2
+falsepositives:
+    - Other programs that use these command line option
+level: high