MITRE ATT&CK mapping
HYDRA automatically classifies every command into MITRE ATT&CK tactics using 20+ regex/heuristic patterns. The DataRouter then maps each tactic to both defensive and offensive training descriptions.
Tactic coverage
| Tactic | Observed events | Example commands |
discovery | 1,155 | uname -a, ls, cat /etc/passwd, ip addr, ps aux, hostname |
credential-access | 246 | cat /etc/shadow, cat ~/.aws/credentials, ls /root/.ssh, find -name *.pem |
command-and-control | 19 | wget http://..., curl http://... \| sh |
privilege-escalation | 8 | find / -perm -4000, sudo -l, cat /etc/sudoers |
exfiltration | 6 | scp, DNS tunneling attempts |
Command → tactic mapping
The full pattern table from data_router.py:
Discovery
| Pattern | Description |
cat /etc/passwd | List system users |
ss -tlnp / netstat | List listening services |
ps aux | List running processes |
uname -a | Identify kernel and OS |
ifconfig / ip addr | Discover network interfaces |
whoami / id | Identify current user |
hostname | Identify server name |
cat /etc/crontab | List scheduled tasks |
df -h | Check disk space |
nmap | Network scanning |
curl / ping | Network connectivity |
Credential access
| Pattern | Description |
find *.pem | Search for private keys |
find id_rsa | Search for SSH keys |
cat .aws/* | Read AWS credentials |
cat .ssh/* | Read SSH keys |
cat .bash_history | Read command history |
cat .env | Read environment variables |
Privilege escalation
| Pattern | Description |
find -perm -4000 | Search SUID binaries |
find -perm -2000 | Search SGID binaries |
sudo -l | List sudo permissions |
cat /etc/sudoers | Read sudo configuration |
Persistence
| Pattern | Description |
crontab | Modify scheduled tasks |
echo >> .bashrc | Inject into shell startup |
echo >> .profile | Inject into login profile |
systemctl enable | Enable a service at boot |
Defense evasion
| Pattern | Description |
history -c | Clear command history |
rm .bash_history | Delete history file |
unset HISTFILE | Disable history logging |
shred | Secure file deletion |
Execution
| Pattern | Description |
wget \| sh | Download and execute |
curl \| bash | Download and execute via curl |
chmod +x | Make file executable |
python -c | Inline Python execution |
Lateral movement
| Pattern | Description |
ssh | Connect to another system |
nc | Netcat connection |
Dual-use descriptions
Each tactic has a defensive AND offensive description used by the DataRouter:
MITRE_DUAL_MAP = {
"credential-access": {
"defensive": "Detect credential extraction attempts",
"offensive": "Credential harvesting techniques (shadow, DPAPI, mimikatz)",
},
"privilege-escalation": {
"defensive": "Detect privilege escalation attempts",
"offensive": "Escalation techniques: SUID, kernel exploits, sudo misconfig",
},
# ... (11 tactics total)
}
This dual mapping is what enables the same raw event to produce both defensive and offensive training data.