Possible Soaphound Tool Execution Using Specific Arguments
Query
DeviceProcessEvents
| where ProcessCommandLine has_any (" --buildcache "," --bhdump ", " --certdump "," --dnsdump ")
and ProcessCommandLine has_any (" -c "," --cachefilename ", " -o "," --outputdirectory")About this query
Possible SOAPHound Tool execution using specific arguments
Description
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol. The following query will detect possible SOAPHound activity, based on the execution options, and relevant arguments.
References
- https://github.com/FalconForceTeam/SOAPHound
- https://github.com/tsale/Sigma_rules/blob/main/windows_exploitation/SOAPHound.yml
Microsoft Defender XDR & Sentinel
MITRE ATT&CK Mapping
- Tactic: Discovery
- Technique ID: T1087
- Account Discovery
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 27/01/2024 | Initial publish |
Explanation
This query is used to detect possible activity of the SOAPHound tool, which is a .NET data collector used to enumerate Active Directory environments. The query looks for specific execution options and arguments related to SOAPHound. It can be used in Microsoft Defender XDR and Sentinel. The query is mapped to the MITRE ATT&CK technique ID T1087 (Account Discovery).
