HackTool - TruffleSnout Execution

 1title: HackTool - TruffleSnout Execution
 2id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a
 3status: test
 4description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
 7    - https://github.com/dsnezhkov/TruffleSnout
 8    - https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md
 9author: frack113
10date: 2022/08/20
11modified: 2023/02/13
12tags:
13    - attack.discovery
14    - attack.t1482
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - OriginalFileName: 'TruffleSnout.exe'
21        - Image|endswith: '\TruffleSnout.exe'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

• atomic-red-team/atomics/T1482/T1482.md at 40b77d63808dd4f4eafb83949805636735a1fd15 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• GitHub - dsnezhkov/TruffleSnout: Iterative AD discovery toolkit for offensive operations

  

  Iterative AD discovery toolkit for offensive operations - dsnezhkov/TruffleSnout

  
  Read More

• TruffleSnout/TruffleSnout/Docs/USAGE.md at master · dsnezhkov/TruffleSnout

  

  Iterative AD discovery toolkit for offensive operations - dsnezhkov/TruffleSnout

  
  Read More

Related rules

• HackTool - SharpView Execution
• Potential Recon Activity Via Nltest.EXE
• Nltest.EXE Execution
• PUA - AdFind Suspicious Execution
• Potential Active Directory Reconnaissance/Enumeration Via LDAP