HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
Sigma rule (View on GitHub)
1title: HackTool - TruffleSnout Execution
2id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a
3status: test
4description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
7 - https://github.com/dsnezhkov/TruffleSnout
8 - https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md
9author: frack113
10date: 2022-08-20
11modified: 2023-02-13
12tags:
13 - attack.discovery
14 - attack.t1482
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - OriginalFileName: 'TruffleSnout.exe'
21 - Image|endswith: '\TruffleSnout.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
-
Related rules
- BloodHound Collection Files
- DNS Server Discovery Via LDAP Query
- Domain Trust Discovery Via Dsquery
- HackTool - Bloodhound/Sharphound Execution
- HackTool - SharpView Execution