HackTool - Rubeus Execution - ScriptBlock

Title: HackTool - Rubeus Execution - ScriptBlock
Status: test
Description:Detects the execution of the hacktool Rubeus using specific command line flags
References:
  -https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
  -https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
  -https://github.com/GhostPack/Rubeus
Author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
Date: 2023-04-27
modified:None
Tags:

• -'attack.credential-access'
• -'attack.t1003'
• -'attack.t1558.003'
• -'attack.lateral-movement'
• -'attack.t1550.003'

Logsource:

• product: windows
• category: ps_script
• definition: Requirements: Script Block Logging must be enabled

Detection:
  selection:
    ScriptBlockText|contains:
      -'asreproast '
      -'dump /service:krbtgt '
      -'dump /luid:0x'
      -'kerberoast '
      -'createnetonly /program:'
      -'ptt /ticket:'
      -'/impersonateuser:'
      -'renew /ticket:'
      -'asktgt /user:'
      -'harvest /interval:'
      -'s4u /user:'
      -'s4u /ticket:'
      -'hash /password:'
      -'golden /aes256:'
      -'silver /user:'

  condition:selection
Falsepositives:
  -Unlikely
Level: high