valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
34f9d17b26
SigmaHQ/rules/windows/builtin/win_hack_rubeus.yml

52 lines
1.4 KiB
YAML
Raw Blame History

---
action: global
title: Rubeus Hack Tool
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
detection:
condition: selection
falsepositives:
- unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
Reference in New Issue View Git Blame Copy Permalink