SigmaHQ/wazuh/rules/sigma_win_hack_rubeus.yml

alert:
- debug
description: Detects command line parameters used by Rubeus hack tool
filter:
- query:
    query_string:
      query: data.win.eventdata.commandLine.keyword:(*\ asreproast\ * OR *\ dump\ \/service\:krbtgt\ * OR *\ kerberoast\ * OR *\ createnetonly\ \/program\:* OR *\ ptt\ \/ticket\:* OR *\ \/impersonateuser\:* OR *\ renew\ \/ticket\:* OR *\ asktgt\ \/user\:* OR *\ harvest\ \/interval\:*)
index: wazuh-alerts-3.x-*
name: 7ec2c172-dceb-4c10-92c9-87c1881b7e18_0
priority: 1
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Detects command line parameters used by Rubeus hack tool`
			`filter:`
			`- query:`
			`query_string:`
			`query: data.win.eventdata.commandLine.keyword:(\ asreproast\ OR \ dump\ \/service\:krbtgt\ OR \ kerberoast\ OR \ createnetonly\ \/program\: OR \ ptt\ \/ticket\: OR \ \/impersonateuser\: OR \ renew\ \/ticket\: OR \ asktgt\ \/user\: OR \ harvest\ \/interval\:)`
			`index: wazuh-alerts-3.x-*`
			`name: 7ec2c172-dceb-4c10-92c9-87c1881b7e18_0`
			`priority: 1`
			`realert:`
			`minutes: 0`
			`type: any`