Query Details
Possible Soaphound Tool Execution Using Specific Arguments
Query
# Possible SOAPHound Tool execution using specific arguments
### Description
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol. The following query will detect possible SOAPHound activity, based on the execution options, and relevant arguments.
### References
- https://github.com/FalconForceTeam/SOAPHound
- https://github.com/tsale/Sigma_rules/blob/main/windows_exploitation/SOAPHound.yml
### Microsoft Defender XDR & Sentinel
```
DeviceProcessEvents
| where ProcessCommandLine has_any (" --buildcache "," --bhdump ", " --certdump "," --dnsdump ")
and ProcessCommandLine has_any (" -c "," --cachefilename ", " -o "," --outputdirectory")
```
### MITRE ATT&CK Mapping
- Tactic: Discovery
- Technique ID: T1087
- [Account Discovery](https://attack.mitre.org/techniques/T1087/)
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ----------------------------------|
| 1.0 | 27/01/2024 | Initial publish |
Explanation
This query is used to detect possible activity of the SOAPHound tool, which is a .NET data collector used to enumerate Active Directory environments. The query looks for specific execution options and arguments related to SOAPHound. It can be used in Microsoft Defender XDR and Sentinel. The query is mapped to the MITRE ATT&CK technique ID T1087 (Account Discovery).
Details
Michalis Michalos
Released: January 27, 2024
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User
Operators
wherehas_anyand