HackTool - SOAPHound Execution
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
Sigma rule (View on GitHub)
1title: HackTool - SOAPHound Execution
2id: e92a4287-e072-4a40-9739-370c106bb750
3status: test
4description: |
5 Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
6references:
7 - https://github.com/FalconForceTeam/SOAPHound
8 - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
9author: '@kostastsale'
10date: 2024-01-26
11tags:
12 - attack.discovery
13 - attack.t1087
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_1:
19 CommandLine|contains:
20 - ' --buildcache '
21 - ' --bhdump '
22 - ' --certdump '
23 - ' --dnsdump '
24 selection_2:
25 CommandLine|contains:
26 - ' -c '
27 - ' --cachefilename '
28 - ' -o '
29 - ' --outputdirectory'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Malicious PowerShell Commandlets - ProcessCreation
- Potential Pikabot Discovery Activity
- Uncommon Connection to Active Directory Web Services
- Hacktool Ruler
- Malicious PowerShell Commandlets - PoshModule