HackTool - SOAPHound Execution

About the rule

Rule Type

Standard

Rule Description

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Tool deployment → SOAPHound execution → Active directory recon → Data exfiltration

Impact

• Directory exposure
• Credential mapping
• Privilege enumeration
• Lateral movement

Rule Requirement

Prerequisites

• Using Windows event viewer:

To configure detailed process tracking, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new GPO or modify an existing one linked to the relevant OU, and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking. Enable both Audit Process Creation and Audit Process Termination by selecting "Configure the following audit events" and checking the Success box. For enhanced tracking with command-line visibility, go to Administrative Templates > System > Audit Process Creation, enable "Include command line in process creation events", and confirm the setting. Lastly, create the registry key Microsoft-Windows-Security-Auditing/Operational under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn’t already exist.

• Using Sysmon:

To begin process creation monitoring, download and install Sysmon from Microsoft Sysinternals, then run it with administrator privileges using a configuration file that includes process creation filters. Install Sysmon with the command sysmon.exe -i [configfile.xml] and ensure your configuration includes the <ProcessCreate> filter to capture all process creation events. Finally, create the registry key Microsoft-Windows-Sysmon/Operational under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn’t already exist, to enable event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

• Discovery: Account Discovery (T1087)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

1. NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations

Provides a catalog of security and privacy controls for all U.S. federal information systems.
Triggering this rule supports AU-6 (Audit Review, Analysis, and Reporting) by detecting suspicious command-line executions, allowing security teams to promptly investigate potential AD reconnaissance attempts.

2. NIST SP 800-61: Computer Security Incident Handling Guide

Offers guidelines for incident detection, analysis, and response.
Triggering this rule aids in IR-4 (Incident Handling) by identifying early indicators of adversary activity like domain enumeration, facilitating timely response and containment.

3. NIST SP 800-137: Information Security Continuous Monitoring (ISCM)

Establishes a framework for maintaining ongoing awareness of security threats.
Triggering this rule supports ISCM strategy implementation by flagging unauthorized access to AD data as a part of continuous process monitoring.

4. NIST SP 800-171: Protecting Controlled Unclassified Information (CUI)

Provides requirements for protecting CUI in non-federal systems.
Triggering this rule aligns with 3.3.1 (System Audit Logs) by ensuring that attempts to extract sensitive directory information are monitored and logged.

5. NIST CSF (Cybersecurity Framework)

Framework focused on identifying, protecting, detecting, responding to, and recovering from cybersecurity events.

Triggering this rule contributes to the “Detect” function by recognizing suspicious use of reconnaissance tools targeting Active Directory environments.

Author

@kostastsale

Future actions

Known False Positives

This rule will be triggered when legitimate administrators or IT personnel use SOAPHound or similar tools for authorized Active Directory auditing or inventory tasks. These routine scans may mimic adversarial behavior and generate alerts.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected system to prevent further access to or exfiltration of Active Directory data.
5. Remediation: Remove unauthorized tools, reset potentially compromised credentials, and strengthen access controls around AD enumeration capabilities.

Mitigation