title: Rubeus Hack Tool description: Detects command line parameters used by Rubeus hack tool author: Florian Roth references: - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ date: 2018/12/19 tags: - attack.credential_access - attack.t1003 - attack.s0005 logsource: category: process_creation product: windows detection: selection: CommandLine: - '* asreproast *' - '* dump /service:krbtgt *' - '* kerberoast *' - '* createnetonly /program:*' - '* ptt /ticket:*' - '* /impersonateuser:*' - '* renew /ticket:*' - '* asktgt /user:*' - '* harvest /interval:*' condition: selection falsepositives: - unlikely level: critical