Rubeus

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.^[1]^[2]^[3]^[4]

ID: S1071

ⓘ

Type: TOOL

ⓘ

Platforms: Windows

Contributors: Mayuresh Dani, Qualys; Akshat Pradhan, Qualys

Version: 1.1

Created: 29 March 2023

Last Modified: 03 August 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1482		Domain Trust Discovery	Rubeus can gather information about domain trusts.^[3]^[4]
Enterprise	T1558	.001	Steal or Forge Kerberos Tickets: Golden Ticket	Rubeus can forge a ticket-granting ticket.^[1]
		.002	Steal or Forge Kerberos Tickets: Silver Ticket	Rubeus can create silver tickets.^[1]
		.003	Steal or Forge Kerberos Tickets: Kerberoasting	Rubeus can use the `KerberosRequestorSecurityToken.GetRequest` method to request kerberoastable service tickets.^[1]
		.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.^[1]^[3]^[4]

Groups That Use This Software

ID	Name	References
G0102	Wizard Spider	^[5]

References

Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.

Rubeus

Enterprise Layer

Techniques Used

Groups That Use This Software

References