- Home
- Play books
- Rubeus incident response
Rubeus incident response
In this page
Playbook Description
This playbook verifies file reputation, disables the compromised user, purges Kerberos tickets, and terminates related processes. It also removes persistence, enforces LSASS and ASR protections, and isolates the host to stop lateral movement.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | Steal or Forge Kerberos Tickets(T1558) | Kerberoasting(T1558.003) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Evict(D3-Evict) | Credential Eviction(D3-CE) | Credential Revocation(D3-CR) |
Playbook input type
Alert
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs.
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime
- windows_commandLineAnalysisrubeus
- windows_detectMaliciousProcessChain
- utility_extractFieldFromList
- utility_convertToString
- utility_extractMaliciousEntitiesByRiskScore
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| QuarantineFile.ps1 | Moves one or more files to a quarantine directory ( %USERPROFILE%\Forensic_Quarantine ), strips inherited permissions via .NET ACL API, and grants read-only access to Administrators. Skips protected PowerShell executables. | FilePaths |
| StopAndQuarantineProcess.ps1 | # Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. # Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence | - |
| EnableASRToPreventLSASS.ps1 | Enables the Attack Surface Reduction (ASR) rule to block credential stealing from the LSASS process (Rule ID: 9e6ea9f3-2e94-4a2a-89e3-4c77b740ab4a ) | — |
| GetExternalConnections.ps1 | Lists all established non-loopback TCP connections with their local/remote addresses, ports, PIDs, and unique remote IPsummary. | (none) |
| BlockIP.ps1 | Creates or updates Windows Firewall rules to block network traffic to/from one or more IPaddresses. Uses consolidated rules (SOAR_AutoBlock_IP_Inbound / SOAR_AutoBlock_IP_Outbound) — new IPs are merged into an existing rule rather than creating a rule per IP. Validates IPformat, checks firewall profile status, and reports per-IPresults. | IpString, Direction |
| KlistPurge.ps1 | Purges all cached Kerberos tickets for the current logon session by executing klist purge. Used as an incident response action to invalidate potentially compromised Kerberos tickets | -- |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP | UserNames |
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Sub playbooks
- Windows - File enrichment
- Windows Defender quick scan
Execution workflow
Investigation:
- Executes the "Windows - File enrichment" sub-playbook.
Decision logic:
- Proceeds to remediation based on the following conditions:
- The file or process reputation indicates high risk.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Analyzes the command line for suspicious patterns, URLs, or file paths.
- Checks if the user is found.
- Investigates privilege escalation attempts.
- Fetches the users.
- Checks whether the file is present.
- Quarantines the file.
- Passes user and file handling.
- Terminates and quarantines the process.
- Fetches the process tree.
- Checks the execution flow.
- Checks if any malicious process is found.
- Terminates and quarantines malicious process.
- Passes process handling.
- Checks and removes persistence.
- Enables the LSASS protection.
- Fetches the external connections.
- Retrieves the IPreputations in batch.
- Calculates the risk score in batch.
- Identifies malicious entities based on their risk scores.
- Blocks the malicious IP.
- Terminates all tickets.
- Executes the "Windows Defender quick scan" sub-playbook.
- Disables and logs off the user.
- Validates if all remediation actions are completed successfully.
- Builds the malicious mail subject.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Verify if all Kerberos tickets have been purged and LSASS protection is enabled.
- Reset passwords for all accounts that may have been targeted by Kerberos abuse.
- Investigate whether stolen tickets were used for lateral movement or privilege escalation.
- Review blocked IPaddresses to ensure no legitimate traffic was affected.
- Scan other endpoints for similar Rubeus or Kerberoasting indicators.
- Audit Active Directory for any unauthorized service principal name (SPN) changes.
