title: Rubeus Hack Tool
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth
date: 2018/12/19
modified: 2022/10/11
tags:
    - attack.credential_access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral_movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
            - ' asreproast '
            - ' dump /service:krbtgt '
            - ' dump /luid:0x'
            - ' kerberoast '
            - ' createnetonly /program:'
            - ' ptt /ticket:'
            - ' /impersonateuser:'
            - ' renew /ticket:'
            - ' asktgt /user:'
            - ' harvest /interval:'
            - ' s4u /user:'
            - ' s4u /ticket:'
            - ' hash /password:'
            - ' golden /aes256:'
            - ' silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical