Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
- https://github.com/FalconForceTeam/SOAPHound
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- ' --buildcache '
- ' --bhdump '
- ' --certdump '
- ' --dnsdump '
selection_2:
CommandLine|contains:
- ' -c '
- ' --cachefilename '
- ' -o '
- ' --outputdirectory'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessCommandLine contains " --buildcache " or TargetProcessCommandLine contains " --bhdump " or TargetProcessCommandLine contains " --certdump " or TargetProcessCommandLine contains " --dnsdump ") and (TargetProcessCommandLine contains " -c " or TargetProcessCommandLine contains " --cachefilename " or TargetProcessCommandLine contains " -o " or TargetProcessCommandLine contains " --outputdirectory")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |