Skip to content
.ca
sign in
5 minhigh

From Code to Coverage (Part 4): Hunting SOAPHound - The (!FALSE) Pattern

Attackers are utilizing the SOAPHound enumeration tool to map Active Directory environments by querying non-existent LDAP attributes. Due to Active Directory's query optimization logic, these queries are transformed into a generic '(! (FALSE))' pattern in Event ID 1644 logs, effectively hiding the tool's signature and bypassing traditional string-based detection mechanisms.

Conf:highAnalyzed:2026-03-19reports
ActorsSOAPHoundSharpHoundImpacket
Active DirectoryLDAP EnumerationSOAPHoundEvasionEvent ID 1644

Source:Huntress

Key Takeaways

  • SOAPHound uses a non-existent LDAP attribute query '(!soaphound=*)' to enumerate Active Directory objects.
  • Active Directory optimizes non-existent attribute queries with negation into '(! (FALSE))' before logging to Event ID 1644, completely bypassing string-matching detection rules.
  • SOAPHound communicates via Active Directory Web Services (ADWS) on port 9389, causing logs to show localhost [::1] as the client, which complicates attribution.
  • SOAPHound hardcodes 'SDFlags:0x7' across all LDAP-based enumeration modes to retrieve security descriptors.
  • Combining the '(! (FALSE))' pattern, 'SDFlags:0x7', and specific attribute lists provides a high-fidelity, near-zero false positive detection signature for SOAPHound.

Affected Systems

  • Active Directory
  • Windows Server (Domain Controllers)

Attack Chain

Attackers execute SOAPHound to enumerate Active Directory objects and permissions. The tool communicates via Active Directory Web Services (ADWS) on port 9389, proxying requests locally. It sends an LDAP query for a non-existent attribute '(!soaphound=*)' along with 'SDFlags:0x7' to request security descriptors. The Domain Controller evaluates the non-existent attribute as FALSE, optimizes the negation, and logs the query as '(! (FALSE))' in Event ID 1644, successfully returning all domain objects while evading signature-based detection.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: Yes
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Sigma

The article provides two Sigma rules for detecting SOAPHound execution by correlating the '(! (FALSE))' pattern with specific attribute lists and 'SDFlags:0x7' in Event ID 1644 logs.

Detection Engineering Assessment

EDR Visibility: Low — EDRs typically do not hook deep into LDAP query parsing on Domain Controllers; this detection relies heavily on native Windows Event Logs (Event ID 1644). Network Visibility: Medium — Network sensors can capture ADWS traffic on port 9389, but the payload is SOAP/XML and may be encrypted, obscuring the underlying LDAP query. Detection Difficulty: Moderate — Requires enabling and properly configuring Event ID 1644 logging, which can be noisy, and correlating specific filter patterns with attribute lists and SDFlags.

Required Log Sources

  • Windows Event ID 1644 (Directory Service)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for Event ID 1644 logs where the LDAP filter is exactly '(! (FALSE))' to identify potential enumeration using non-existent attributes.Windows Event ID 1644DiscoveryLow
Search for Event ID 1644 logs containing 'SDFlags:0x7' combined with the '(! (FALSE))' filter and a large number of returned entries.Windows Event ID 1644DiscoveryVery Low

Control Gaps

  • Signature-based detection rules looking for specific tool names in LDAP queries (e.g., 'soaphound' or 'bloodhound') will fail due to server-side optimization.

Key Behavioral Indicators

  • LDAP Filter '(! (FALSE))'
  • Client IP '[::1]' or '127.0.0.1' in Event ID 1644 due to ADWS proxying
  • Server controls 'SDFlags:0x7'
  • Extensive attribute selection including 'nTSecurityDescriptor', 'msDS-Behavior-Version', 'gPCFileSysPath', etc.

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enable Event ID 1644 logging on Domain Controllers to capture LDAP queries.
  • Review existing LDAP detection rules to ensure they do not rely solely on tool-specific string matching.

Infrastructure Hardening

  • Monitor and restrict access to Active Directory Web Services (ADWS) on port 9389.
  • Implement rate limiting or alerting for excessive LDAP queries returning large numbers of objects.

User Protection

  • Implement least privilege access to limit the exposure of sensitive Active Directory attributes to standard users.

Security Awareness

  • Educate SOC analysts on LDAP query optimization behaviors and how they can obscure malicious enumeration.

MITRE ATT&CK Mapping

  • T1087.002 - Account Discovery: Domain Account
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • Ips:
    • [::1] - IPv6 localhost address frequently seen as the client in Event ID 1644 logs when SOAPHound proxies requests through ADWS.
    • fe80::f196:f23f:d7bf:b6c30 - Example IPv6 client address observed in test logs issuing the transformed LDAP query.
  • Command Lines:
    • Purpose: Test non-existent attribute LDAP query to observe server-side transformation | Tools: PowerShell, ADSI | Stage: Reconnaissance | [adsisearcher]"(!soaphound=*)"

Related