Windows PowerShell Rubeus execution

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0008-lateral-movement

Technique:

T1550-use-alternate-authentication-material

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects execution of Rubeus, a Kerberos attack tool used for ticket extraction, modification, forgery, and replay attacks.

Strategy

This rule monitors Windows PowerShell script block logs for commands containing distinct Rubeus command-line arguments. Rubeus is a toolset designed for Kerberos interaction and abuse, commonly used by attackers to extract tickets, perform pass-the-ticket attacks, request and forge tickets, and conduct other Kerberos-based attacks. The presence of these command patterns is highly suspicious as Rubeus is primarily used for offensive security testing or actual attacks and rarely has legitimate use cases in most enterprise environments.

Triage & Response

  • Analyze the full PowerShell script block content to understand which specific Rubeus capabilities were utilized on {{host}}.
  • Identify the user account that executed the Rubeus commands and determine if they are authorized to perform security testing.
  • Check for successful ticket creation, extraction, or manipulation by reviewing associated event logs around the same timeframe.
  • Examine authentication events to identify potential lateral movement or privilege escalation following Rubeus execution.
  • Review process creation events to identify the source of the Rubeus tool on the system.