HackTool - Rubeus Execution - ScriptBlock

calendar Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
Share on: linkedin copy

Detects the execution of the hacktool Rubeus using specific command line flags

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution - ScriptBlock
 2id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: test
 7description: Detects the execution of the hacktool Rubeus using specific command line flags
 8references:
 9    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2023-04-27
14tags:
15    - attack.defense-evasion
16    - attack.credential-access
17    - attack.t1003
18    - attack.t1558.003
19    - attack.lateral-movement
20    - attack.t1550.003
21logsource:
22    product: windows
23    category: ps_script
24    definition: 'Requirements: Script Block Logging must be enabled'
25detection:
26    selection:
27        ScriptBlockText|contains:
28            - 'asreproast '
29            - 'dump /service:krbtgt '
30            - 'dump /luid:0x'
31            - 'kerberoast '
32            - 'createnetonly /program:'
33            - 'ptt /ticket:'
34            - '/impersonateuser:'
35            - 'renew /ticket:'
36            - 'asktgt /user:'
37            - 'harvest /interval:'
38            - 's4u /user:'
39            - 's4u /ticket:'
40            - 'hash /password:'
41            - 'golden /aes256:'
42            - 'silver /user:'
43    condition: selection
44falsepositives:
45    - Unlikely
46level: high

References

  • From Kekeo to Rubeus

    Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, &#82…


    Read More

  • How To Attack Kerberos 101

    I want to start with article by saying I set out to learn Kerberos in greater detail and I figured that writing this would help cement my existing knowledge and give me reason to learn along the way, I am no Kerberos expert I am simply learning as I go along and getting my head around all the different terminologies so if you notice something amiss feel free to DM me and put me right. And if you do not understand something feel free to drop me a DM and I will do my best to help


    Read More

  • GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.

    Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.


    Read More

Related rules

to-top