LoFP / software that uses the caret encased keywords pass and user in its command line

Techniques

• t1110
• t1110.001

Sample rules

HackTool - Hydra Password Bruteforce Execution

• source: sigma
• technicques:
  • t1110
  • t1110.001

Description

Detects command line parameters used by Hydra password guessing hack tool

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ^USER^
  - ^PASS^
  CommandLine|contains|all:
  - '-u '
  - '-p '