Execution of SOAPHound Tool with Specific Arguments
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
Sigma rule (View on GitHub)
1title: Execution of SOAPHound Tool with Specific Arguments
2id: b42a9af6-f6bb-49e3-b443-bba4fea308cd
3status: experimental
4description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
5references:
6 - https://github.com/FalconForceTeam/SOAPHound
7 - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
8author: '@kostastsale'
9date: 2024/01/26
10tags:
11 - attack.discovery
12 - attack.t1087
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection1:
18 CommandLine|contains:
19 - ' --buildcache '
20 - ' --bhdump '
21 - ' --certdump '
22 - ' --dnsdump '
23 selection2:
24 CommandLine|contains:
25 - ' -c '
26 - ' --cachefilename '
27 - ' -o '
28 - ' --outputdirectory'
29 condition: selection1 and selection2
30falsepositives:
31 - Unknown
32level: high
References
-
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol. - FalconForceTeam/SOAPHound
Read More -
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the …
Read More
Related rules
- PUA - Seatbelt Execution
- SharpHound Recon Account Discovery
- Reconnaissance Activity Using BuiltIn Commands
- Hacktool Ruler
- Emotet Child Process Spawn Pattern