Techniques
Sample rules
Windows SOAPHound Binary Execution
- source: splunk
- technicques:
- T1087.002
- T1069.001
- T1482
- T1087.001
- T1087
- T1069.002
- T1069
Description
The following analytic identifies the common command-line argument used by SOAPHound soaphound.exe
. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="soaphound.exe" OR Processes.original_file_name="soaphound.exe" AND Processes.process IN ("*--buildcache *", "*--bhdump *", "*--certdump *", "*--dnsdump *", "*-c *", "*--cachefilename *", "*-o *", "*--outputdirectory *") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_soaphound_binary_execution_filter`