From cf585abe511b6ba380f0aaa3ba90f76fc138885c Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 27 Apr 2023 16:38:52 +0200
Subject: [PATCH] feat: new rule for Rubeus in pwsh scriptblock log

---
 .../powershell_script/posh_ps_hktl_rubeus.yml | 45 +++++++++++++++++++
 .../proc_creation_win_hktl_rubeus.yml         |  3 ++
 2 files changed, 48 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml
new file mode 100644
index 000000000..cd169aeec
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml
@@ -0,0 +1,45 @@
+title: HackTool - Rubeus Execution - ScriptBlock
+id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
+related:
+    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
+      type: similar
+status: experimental
+description: Detects the execution of the hacktool Rubeus using specific command line flags
+references:
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+    - https://github.com/GhostPack/Rubeus
+author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
+date: 2023/04/27
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1558.003
+    - attack.lateral_movement
+    - attack.t1550.003
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'asreproast '
+            - 'dump /service:krbtgt '
+            - 'dump /luid:0x'
+            - 'kerberoast '
+            - 'createnetonly /program:'
+            - 'ptt /ticket:'
+            - '/impersonateuser:'
+            - 'renew /ticket:'
+            - 'asktgt /user:'
+            - 'harvest /interval:'
+            - 's4u /user:'
+            - 's4u /ticket:'
+            - 'hash /password:'
+            - 'golden /aes256:'
+            - 'silver /user:'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml
index 37a98814b..a80cd1f34 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml
@@ -1,5 +1,8 @@
 title: HackTool - Rubeus Execution
 id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
+related:
+    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
+      type: similar
 status: stable
 description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 references: