HackTool - Rubeus Execution

calendar Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
Share on: linkedin copy

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution
 2id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: stable
 7description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 8references:
 9    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Florian Roth (Nextron Systems)
13date: 2018-12-19
14modified: 2023-04-20
15tags:
16    - attack.defense-evasion
17    - attack.credential-access
18    - attack.t1003
19    - attack.t1558.003
20    - attack.lateral-movement
21    - attack.t1550.003
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        - Image|endswith: '\Rubeus.exe'
28        - OriginalFileName: 'Rubeus.exe'
29        - Description: 'Rubeus'
30        - CommandLine|contains:
31              - 'asreproast '
32              - 'dump /service:krbtgt '
33              - 'dump /luid:0x'
34              - 'kerberoast '
35              - 'createnetonly /program:'
36              - 'ptt /ticket:'
37              - '/impersonateuser:'
38              - 'renew /ticket:'
39              - 'asktgt /user:'
40              - 'harvest /interval:'
41              - 's4u /user:'
42              - 's4u /ticket:'
43              - 'hash /password:'
44              - 'golden /aes256:'
45              - 'silver /user:'
46    condition: selection
47falsepositives:
48    - Unlikely
49level: critical

References

  • From Kekeo to Rubeus

    Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, &#82…


    Read More

  • How To Attack Kerberos 101

    I want to start with article by saying I set out to learn Kerberos in greater detail and I figured that writing this would help cement my existing knowledge and give me reason to learn along the way, I am no Kerberos expert I am simply learning as I go along and getting my head around all the different terminologies so if you notice something amiss feel free to DM me and put me right. And if you do not understand something feel free to drop me a DM and I will do my best to help


    Read More

  • GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.

    Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.


    Read More

Related rules

to-top