Windows PowerShell Rubeus execution

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0008-lateral-movement

Technique:

T1550-use-alternate-authentication-material

Goal

Detects execution of Rubeus, a Kerberos attack tool used for ticket extraction, modification, forgery, and replay attacks.

Strategy

This rule monitors Windows PowerShell script block logs for commands containing distinct Rubeus command-line arguments. Rubeus is a toolset designed for Kerberos interaction and abuse, commonly used by attackers to extract tickets, perform pass-the-ticket attacks, request and forge tickets, and conduct other Kerberos-based attacks. The presence of these command patterns is highly suspicious as Rubeus is primarily used for offensive security testing or actual attacks and rarely has legitimate use cases in most enterprise environments.

Triage & Response

  • Analyze the full PowerShell script block content to understand which specific Rubeus capabilities were utilized on {{host}}.
  • Identify the user account that executed the Rubeus commands and determine if they are authorized to perform security testing.
  • Check for successful ticket creation, extraction, or manipulation by reviewing associated event logs around the same timeframe.
  • Examine authentication events to identify potential lateral movement or privilege escalation following Rubeus execution.
  • Review process creation events to identify the source of the Rubeus tool on the system.
PREVIEWING: guacbot/translation-pipeline