← Back to Explore
sigmahighHunting
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
Detection Query
selection:
ScriptBlockText|contains:
- "asreproast "
- "dump /service:krbtgt "
- dump /luid:0x
- "kerberoast "
- "createnetonly /program:"
- "ptt /ticket:"
- "/impersonateuser:"
- "renew /ticket:"
- "asktgt /user:"
- "harvest /interval:"
- "s4u /user:"
- "s4u /ticket:"
- "hash /password:"
- "golden /aes256:"
- "silver /user:"
condition: selection
Author
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
Created
2023-04-27
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.defense-evasionattack.credential-accessattack.t1003attack.t1558.003attack.lateral-movementattack.t1550.003
Raw Content
title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
- attack.defense-evasion
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: high