Execution of SOAPHound Tool with Specific Arguments

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Sigma rule (View on GitHub)

 1title: Execution of SOAPHound Tool with Specific Arguments
 2id: e92a4287-e072-4a40-9739-370c106bb750
 3status: experimental
 4description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
 5references:
 6  - https://github.com/FalconForceTeam/SOAPHound
 7  - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
 8author: '@kostastsale'
 9date: 2024/01/26
10tags:
11  - attack.discovery
12  - attack.t1087
13logsource:
14  product: windows
15  category: process_creation
16detection:
17  selection1:
18    CommandLine|contains:
19      - ' --buildcache '
20      - ' --bhdump '
21      - ' --certdump '
22      - ' --dnsdump '
23  selection2:
24    CommandLine|contains: 
25      - ' -c '
26      - ' --cachefilename '
27      - ' -o '
28      - ' --outputdirectory'
29  condition: selection1 and selection2
30falsepositives:
31  - Unknown
32level: high

References

Related rules

to-top