EXPLORE
Sign In
← Back to Explore
sigmacriticalTTP

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

MITRE ATT&CK

T1003T1558.003T1550.003
defense-evasioncredential-accesslateral-movement

Detection Query

selection:
  - Image|endswith: \Rubeus.exe
  - OriginalFileName: Rubeus.exe
  - Description: Rubeus
  - CommandLine|contains:
      - "asreproast "
      - "dump /service:krbtgt "
      - dump /luid:0x
      - "kerberoast "
      - "createnetonly /program:"
      - "ptt /ticket:"
      - "/impersonateuser:"
      - "renew /ticket:"
      - "asktgt /user:"
      - "harvest /interval:"
      - "s4u /user:"
      - "s4u /ticket:"
      - "hash /password:"
      - "golden /aes256:"
      - "silver /user:"
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2018-12-19

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.credential-accessattack.t1003attack.t1558.003attack.lateral-movementattack.t1550.003
Raw Content
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.defense-evasion
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical