HackTool - Rubeus Execution

 1title: HackTool - Rubeus Execution
 2id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 3related:
 4    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
 5      type: similar
 6status: stable
 7description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 8references:
 9    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
10    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
11    - https://github.com/GhostPack/Rubeus
12author: Florian Roth (Nextron Systems)
13date: 2018/12/19
14modified: 2023/04/20
15tags:
16    - attack.credential_access
17    - attack.t1003
18    - attack.t1558.003
19    - attack.lateral_movement
20    - attack.t1550.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        - Image|endswith: '\Rubeus.exe'
27        - OriginalFileName: 'Rubeus.exe'
28        - Description: 'Rubeus'
29        - CommandLine|contains:
30              - 'asreproast '
31              - 'dump /service:krbtgt '
32              - 'dump /luid:0x'
33              - 'kerberoast '
34              - 'createnetonly /program:'
35              - 'ptt /ticket:'
36              - '/impersonateuser:'
37              - 'renew /ticket:'
38              - 'asktgt /user:'
39              - 'harvest /interval:'
40              - 's4u /user:'
41              - 's4u /ticket:'
42              - 'hash /password:'
43              - 'golden /aes256:'
44              - 'silver /user:'
45    condition: selection
46falsepositives:
47    - Unlikely
48level: critical

References

• From Kekeo to Rubeus

  

  Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, &#82…

  
  Read More

• How To Attack Kerberos 101

  

  I want to start with article by saying I set out to learn Kerberos in greater detail and I figured that writing this would help cement my existing knowledge and give me reason to learn along the way, I am no Kerberos expert I am simply learning as I go along and getting my head around all the different terminologies so if you notice something amiss feel free to DM me and put me right. And if you do not understand something feel free to drop me a DM and I will do my best to help

  
  Read More

• GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.

  

  Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.

  
  Read More

Related rules

• Antivirus Password Dumper Detection
• Potential Credential Dumping Attempt Using New NetworkProvider - REG
• Shadow Copies Creation Using Operating Systems Utilities
• User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
• Audit CVE Event