HackTool - Rubeus Execution

calendarApr 27, 2023 · attack.credential_access attack.t1003 attack.t1558.003 attack.lateral_movement attack.t1550.003  ·
Share on: linkedincopy

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Sigma rule (View on GitHub)

 1title: HackTool - Rubeus Execution
 2id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: stable
 7description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 8references:
 9    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Florian Roth (Nextron Systems)
13date: 2018/12/19
14modified: 2023/04/20
15tags:
16    - attack.credential_access
17    - attack.t1003
18    - attack.t1558.003
19    - attack.lateral_movement
20    - attack.t1550.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        - Image|endswith: '\Rubeus.exe'
27        - OriginalFileName: 'Rubeus.exe'
28        - Description: 'Rubeus'
29        - CommandLine|contains:
30            - 'asreproast '
31            - 'dump /service:krbtgt '
32            - 'dump /luid:0x'
33            - 'kerberoast '
34            - 'createnetonly /program:'
35            - 'ptt /ticket:'
36            - '/impersonateuser:'
37            - 'renew /ticket:'
38            - 'asktgt /user:'
39            - 'harvest /interval:'
40            - 's4u /user:'
41            - 's4u /ticket:'
42            - 'hash /password:'
43            - 'golden /aes256:'
44            - 'silver /user:'
45    condition: selection
46falsepositives:
47    - Unlikely
48level: critical

Related rules

to-top