Windows register new logon process by Rubeus

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1558-steal-or-forge-kerberos-tickets

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects registration of suspicious logon processes matching patterns associated with the Rubeus Kerberos manipulation tool.

Strategy

This rule monitors for event ID 4611 which tracks new logon process registrations. The detection specifically looks for logon process names matching User32LogonProcesss, a common misspelling used by the Rubeus tool when registering new logon processes for Kerberos ticket manipulation.

Triage & Response

  • Verify the process that registered the new logon process on {{host}} and its parent process.
  • Examine running processes and loaded modules for signs of Rubeus or other Kerberos exploitation tools.
  • Review authentication logs for unusual Kerberos ticket requests or modifications.
  • Reset passwords for any potentially compromised accounts.
  • Monitor for additional Kerberos ticket manipulation attempts.