HackTool - Rubeus Execution - ScriptBlock

calendar Mar 1, 2024 · attack.credential_access attack.t1003 attack.t1558.003 attack.lateral_movement attack.t1550.003  ·
Share on: linkedin copy

Detects the execution of the hacktool Rubeus using specific command line flags

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution - ScriptBlock
 2id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: test
 7description: Detects the execution of the hacktool Rubeus using specific command line flags
 8references:
 9    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2023/04/27
14tags:
15    - attack.credential_access
16    - attack.t1003
17    - attack.t1558.003
18    - attack.lateral_movement
19    - attack.t1550.003
20logsource:
21    product: windows
22    category: ps_script
23    definition: 'Requirements: Script Block Logging must be enabled'
24detection:
25    selection:
26        ScriptBlockText|contains:
27            - 'asreproast '
28            - 'dump /service:krbtgt '
29            - 'dump /luid:0x'
30            - 'kerberoast '
31            - 'createnetonly /program:'
32            - 'ptt /ticket:'
33            - '/impersonateuser:'
34            - 'renew /ticket:'
35            - 'asktgt /user:'
36            - 'harvest /interval:'
37            - 's4u /user:'
38            - 's4u /ticket:'
39            - 'hash /password:'
40            - 'golden /aes256:'
41            - 'silver /user:'
42    condition: selection
43falsepositives:
44    - Unlikely
45level: high

References

  • From Kekeo to Rubeus

    Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, &#82…


    Read More

  • How To Attack Kerberos 101

    I want to start with article by saying I set out to learn Kerberos in greater detail and I figured that writing this would help cement my existing knowledge and give me reason to learn along the way, I am no Kerberos expert I am simply learning as I go along and getting my head around all the different terminologies so if you notice something amiss feel free to DM me and put me right. And if you do not understand something feel free to drop me a DM and I will do my best to help


    Read More

  • GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.

    Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.


    Read More

Related rules

to-top