detection.wiki

Detection rules › Splunk

Rubeus Commands (Windows Event Log)

Group by
_time, host
Source
github.com/anvilogic-forge/armory

Rubeus is a C# toolset for raw Kerberos interaction and abuses

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1558.001 Steal or Forge Kerberos Tickets: Golden Ticket, T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket, T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

References

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

id: '5473.5639'
title: Rubeus Commands
description: 'Rubeus is a C# toolset for raw Kerberos interaction and abuses. -- Threat
  Actor Association: Wizard Spider - Software Association: Conti, Diavol, Quakbot/Qbot
  -- Atomics T1558.003 Test#2'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` TERM(exe) (TERM(EventCode=4688)
  OR "<EventID>4688<") (TERM(harvest) OR TERM(ptt) OR TERM(s4u) OR TERM(asktgt) OR
  TERM(brute) OR TERM(createnetonly) OR TERM(changepw) OR TERM(hash) OR TERM(tgssub)
  OR TERM(asktgs) OR TERM(renew) OR TERM(describe) OR TERM(monitor) OR TERM(purge)
  OR TERM(klist) OR TERM(triage) OR TERM(dump) OR TERM(tgtdeleg) OR TERM(kerberoast)
  OR TERM(asreproast) OR TERM(currentluid)) |regex process="(?i)\.exe\"?\s+(((harvest|ptt|s4u|asktgt|brute|createnetonly|changepw|hash|tgssub|asktgs|renew|describe|monitor)(\s+)?\/\w+\:)|((purge|klist|triage|dump|tgtdeleg|kerberoast|asreproast|currentluid)((\s+)?\/\w+)?))"
  | table _time, host, user, signature_id, process, process_id, process_name, parent_process_name
  | bin span=1s | stats values(*) as * by _time, host '
techniques:
- credential-access:steal or forge kerberos tickets
- credential-access:steal or forge kerberos tickets:golden ticket
- credential-access:steal or forge kerberos tickets:silver ticket
- credential-access:steal or forge kerberos tickets:kerberoasting
technique_id:
- T1558
- T1558.003
- T1558.002
- T1558.001
data_category:
- Windows event logs
references:
- https://github.com/GhostPack/Rubeus

Stages and Predicates

Stage 1: search

`get_endpoint_data` `get_endpoint_data_winevent` TERM(exe) (TERM(EventCode=4688) OR "<EventID>4688<") (TERM(harvest) OR TERM(ptt) OR TERM(s4u) OR TERM(asktgt) OR TERM(brute) OR TERM(createnetonly) OR TERM(changepw) OR TERM(hash) OR TERM(tgssub) OR TERM(asktgs) OR TERM(renew) OR TERM(describe) OR TERM(monitor) OR TERM(purge) OR TERM(klist) OR TERM(triage) OR TERM(dump) OR TERM(tgtdeleg) OR TERM(kerberoast) OR TERM(asreproast) OR TERM(currentluid))

Stage 2: regex

| regex process="(?i)\.exe\"?\s+(((harvest|ptt|s4u|asktgt|brute|createnetonly|changepw|hash|tgssub|asktgs|renew|describe|monitor)(\s+)?\/\w+\:)|((purge|klist|triage|dump|tgtdeleg|kerberoast|asreproast|currentluid)((\s+)?\/\w+)?))"

Stage 3: table

| table _time, host, user, signature_id, process, process_id, process_name, parent_process_name

Stage 4: bucket

| bin span=1s

Stage 5: stats

| stats values(*) as * by _time, host

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4688 corpus 313 (splunk 283, kusto 30)
processregex_match
  • "(?i).exe\"?\s+(((harvest|ptt|s4u|asktgt|brute|createnetonly|changepw|hash|tgssub|asktgs|renew|describe|monitor)(\s+)?\/\w+\:)|((purge|klist|triage|dump|tgtdeleg|kerberoast|asreproast|currentluid)((\s+)?\/\w+)?))" corpus 3 (splunk 3)

Search terms

Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.

StageTerm
1TERM
1exe
1TERM
1"<EventID>4688<"
1TERM
1harvest
1TERM
1ptt
1TERM
1s4u
1TERM
1asktgt
1TERM
1brute
1TERM
1createnetonly
1TERM
1changepw
1TERM
1hash
1TERM
1tgssub
1TERM
1asktgs
1TERM
1renew
1TERM
1describe
1TERM
1monitor
1TERM
1purge
1TERM
1klist
1TERM
1triage
1TERM
1dump
1TERM
1tgtdeleg
1TERM
1kerberoast
1TERM
1asreproast
1TERM
1currentluid