rules/windows/process_creation/proc_creation_win_hack_rubeus.yml

title: Rubeus Hack Tool
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
status: stable
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
  - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - ' asreproast '
      - ' dump /service:krbtgt '
      - ' kerberoast '
      - ' createnetonly /program:'
      - ' ptt /ticket:'
      - ' /impersonateuser:'
      - ' renew /ticket:'
      - ' asktgt /user:'
      - ' harvest /interval:'
      - ' s4u /user:'
      - ' s4u /ticket:'
      - ' hash /password:'
  condition: selection
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.credential_access
  - attack.t1003
  - attack.t1558.003
  - attack.lateral_movement
  - attack.t1550.003
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Rubeus Hack Tool`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18`
chore: increase rule status 2022-03-07 17:10:51 +01:00			`status: stable`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`description: Detects command line parameters used by Rubeus hack tool`
			`author: Florian Roth`
			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`date: 2018/12/19`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`CommandLine\|contains:`
			`- ' asreproast '`
			`- ' dump /service:krbtgt '`
			`- ' kerberoast '`
			`- ' createnetonly /program:'`
			`- ' ptt /ticket:'`
			`- ' /impersonateuser:'`
			`- ' renew /ticket:'`
			`- ' asktgt /user:'`
			`- ' harvest /interval:'`
			`- ' s4u /user:'`
			`- ' s4u /ticket:'`
			`- ' hash /password:'`
			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00			`- Unlikely`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: critical`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
			`- attack.t1558.003`
			`- attack.lateral_movement`
			`- attack.t1550.003`