HackTool - Rubeus Execution - ScriptBlock
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - Rubeus Execution - ScriptBlock | Standard | Windows | Defense Evasion: Use Alternate Authentication Material - Pass the Ticket (T1550.003); Lateral Movement: Use Alternate Authentication Material - Pass the Ticket (T1550.003); Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003); Credential Access: OS Credential Dumping (T1003) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Rubeus is a hacking tool that uses PowerShell commands to manipulate Kerberos authentication in AD. This rule detects such suspicious command-line activities that indicate the execution of Rubeus.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → PowerShell execution → Defense Evasion → Credential Access → Kerberoasting
Impact
- Service account compromise
- Credential theft
- Data leakage
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
(((( SCRIPTEXECUTED CONTAINS ""asreproast"" ) OR ( SCRIPTEXECUTED CONTAINS ""dump /service:krbtgt"" ) OR ( SCRIPTEXECUTED CONTAINS ""dump /luid:0x"" ) OR ( SCRIPTEXECUTED CONTAINS ""kerberoast"" ) OR ( SCRIPTEXECUTED CONTAINS ""createnetonly /program:"" ) OR ( SCRIPTEXECUTED CONTAINS ""ptt /ticket:"" ) OR ( SCRIPTEXECUTED CONTAINS ""/impersonateuser:"" ) OR ( SCRIPTEXECUTED CONTAINS ""renew /ticket:"" ) OR ( SCRIPTEXECUTED CONTAINS ""asktgt /user:"" ) OR ( SCRIPTEXECUTED CONTAINS ""harvest /interval:"" ) OR ( SCRIPTEXECUTED CONTAINS ""s4u /user:"" ) OR ( SCRIPTEXECUTED CONTAINS ""s4u /ticket:"" ) OR ( SCRIPTEXECUTED CONTAINS ""hash /password:"" ) OR ( SCRIPTEXECUTED CONTAINS ""golden /aes256:"" ) OR ( SCRIPTEXECUTED CONTAINS ""silver /user:"" ) )))
This rule is triggered when the executed script contains the following suspicious elements:
- asreproast: Refers to a tool used to request Ticket Granting Tickets without needing user credentials.
- dump /service:krbtgt: A command used to dump credentials or tickets related to the krbtgt service account.
- kerberoast: A tool used to request and decode Kerberos service tickets to extract service account passwords.
- ptt /ticket: Indicates Pass the Ticket activity to inject a Kerberos ticket into the current session to compromise authentication.
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "asreproast ,dump /service:krbtgt ,dump /luid:0x,kerberoast ,createnetonly /program:,ptt /ticket:,/impersonateuser:,renew /ticket:,asktgt /user:,harvest /interval:,s4u /user:,s4u /ticket:,hash /password:,golden /aes256:,silver /user:" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Use Alternate Authentication Material - Pass the Ticket (T1550.003); Lateral Movement: Use Alternate Authentication Material - Pass the Ticket (T1550.003); Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003); Credential Access: OS Credential Dumping (T1003)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of a PowerShell script execution involving Rubeus hack tool. This enables you to monitor runtime environments like PowerShell and identify malicious executions that breach the Kerberos authentication process.
Author
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
Future actions
Known False Positives
This rule might be triggered when admins initiate legitimate password changes or Kerberos ticket renewals for service accounts.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that involve hack tools like Rubeus, and restrict script execution privileges to administrators only.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1015 | Update and reset KRBTGT account password periodically. | |
M1027 | Enforce strong password policies for local administrator accounts. | |
M1026 | Restrict domain admin privileges should be reserved for domain controllers. | |
M1018 | No local admin user account should be shared across multiple systems. | |
M1041 | Enable AES Kerberos encryption. | |
M1040 | Protect LSASS on Windows 10 machines by enabling Attack Surface Reduction (ASR) rules. | |
M1043 | Configure Credential Guard on Windows 10 devices to protect the LSA from credential dumping attempts. | |
M1028 | Limit NTLM and WDigest authentication use to only privileged accounts. | |
M1025 | Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2. | |
M1017 | Train users on strong password policies and the risks of reusing passwords across multiple systems. |
