HackTool - SOAPHound Execution

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Sigma rule (View on GitHub)

 1title: HackTool - SOAPHound Execution
 2id: e92a4287-e072-4a40-9739-370c106bb750
 3status: test
 4description: |
 5        Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
 6references:
 7    - https://github.com/FalconForceTeam/SOAPHound
 8    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
 9author: '@kostastsale'
10date: 2024-01-26
11tags:
12    - attack.discovery
13    - attack.t1087
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_1:
19        CommandLine|contains:
20            - ' --buildcache '
21            - ' --bhdump '
22            - ' --certdump '
23            - ' --dnsdump '
24    selection_2:
25        CommandLine|contains:
26            - ' -c '
27            - ' --cachefilename '
28            - ' -o '
29            - ' --outputdirectory'
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top