HackTool - Rubeus Execution - ScriptBlock

Detects the execution of the hacktool Rubeus using specific command line flags

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution - ScriptBlock
 2id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: experimental
 7description: Detects the execution of the hacktool Rubeus using specific command line flags
 8references:
 9    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2023/04/27
14tags:
15    - attack.credential_access
16    - attack.t1003
17    - attack.t1558.003
18    - attack.lateral_movement
19    - attack.t1550.003
20logsource:
21    product: windows
22    category: ps_script
23    definition: 'Requirements: Script Block Logging must be enabled'
24detection:
25    selection:
26        ScriptBlockText|contains:
27            - 'asreproast '
28            - 'dump /service:krbtgt '
29            - 'dump /luid:0x'
30            - 'kerberoast '
31            - 'createnetonly /program:'
32            - 'ptt /ticket:'
33            - '/impersonateuser:'
34            - 'renew /ticket:'
35            - 'asktgt /user:'
36            - 'harvest /interval:'
37            - 's4u /user:'
38            - 's4u /ticket:'
39            - 'hash /password:'
40            - 'golden /aes256:'
41            - 'silver /user:'
42    condition: selection
43falsepositives:
44    - Unlikely
45level: high

Related rules

to-top