HackTool - Rubeus Execution

calendar Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
Share on: linkedin copy

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution
 2id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: stable
 7description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 8references:
 9    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Florian Roth (Nextron Systems)
13date: 2018-12-19
14modified: 2023-04-20
15tags:
16    - attack.credential-access
17    - attack.t1003
18    - attack.t1558.003
19    - attack.lateral-movement
20    - attack.t1550.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        - Image|endswith: '\Rubeus.exe'
27        - OriginalFileName: 'Rubeus.exe'
28        - Description: 'Rubeus'
29        - CommandLine|contains:
30              - 'asreproast '
31              - 'dump /service:krbtgt '
32              - 'dump /luid:0x'
33              - 'kerberoast '
34              - 'createnetonly /program:'
35              - 'ptt /ticket:'
36              - '/impersonateuser:'
37              - 'renew /ticket:'
38              - 'asktgt /user:'
39              - 'harvest /interval:'
40              - 's4u /user:'
41              - 's4u /ticket:'
42              - 'hash /password:'
43              - 'golden /aes256:'
44              - 'silver /user:'
45    condition: selection
46falsepositives:
47    - Unlikely
48level: critical

References

  • From Kekeo to Rubeus

    Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, &#82…


    Read More

  • How To Attack Kerberos 101

    I want to start with article by saying I set out to learn Kerberos in greater detail and I figured that writing this would help cement my existing knowledge and give me reason to learn along the way, I am no Kerberos expert I am simply learning as I go along and getting my head around all the different terminologies so if you notice something amiss feel free to DM me and put me right. And if you do not understand something feel free to drop me a DM and I will do my best to help


    Read More

  • GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.

    Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.


    Read More

Related rules

to-top