heroui logo

HackTool - Rubeus Execution

Sigma Rules

View Source
Summary
This detection rule identifies the execution of Rubeus, a popular hacktool used to interact with Kerberos tickets in Windows environments. The rule leverages the process creation logs to monitor for specific indicators associated with the Rubeus executable. The detection criteria include examining the command line parameters for certain keywords that signify potential malicious activities, such as ASREPRoasting and Kerberoasting. The rule's effectiveness is underscored by its focus on the original file name, description, and specific command line arguments that are indicative of Rubeus operations. Given the nature of the activities enabled by Rubeus, the detection is classified as critical due to its relevance in credential access and lateral movement within networks. Users of this rule should apply it in conjunction with other defense mechanisms as part of a layered security approach.
Categories
  • Windows
  • Network
  • Identity Management
Data Sources
  • Process
  • Command
Created: 2018-12-19