Windows register new logon process by Rubeus

Docs > Datadog Security > OOTB Rules > Windows register new logon process by Rubeus

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1558-steal-or-forge-kerberos-tickets

Goal

Detects registration of suspicious logon processes matching patterns associated with the Rubeus Kerberos manipulation tool.

Strategy

This rule monitors for event ID 4611 which tracks new logon process registrations. The detection specifically looks for logon process names matching User32LogonProcesss, a common misspelling used by the Rubeus tool when registering new logon processes for Kerberos ticket manipulation.

Triage & Response

Verify the process that registered the new logon process on {{host}} and its parent process.
Examine running processes and loaded modules for signs of Rubeus or other Kerberos exploitation tools.
Review authentication logs for unusual Kerberos ticket requests or modifications.
Reset passwords for any potentially compromised accounts.
Monitor for additional Kerberos ticket manipulation attempts.