1. Home
  2. Software
  3. Rubeus

Rubeus

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[1][2][3][4]

ID: S1071
Type: TOOL
Platforms: Windows
Contributors: Mayuresh Dani, Qualys; Akshat Pradhan, Qualys
Version: 1.2
Created: 29 March 2023
Last Modified: 19 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1482 Domain Trust Discovery

Rubeus can gather information about domain trusts.[3][4]
Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Rubeus can forge a ticket-granting ticket.[1]
.002 Steal or Forge Kerberos Tickets: Silver Ticket

Rubeus can create silver tickets.[1]
.003 Steal or Forge Kerberos Tickets: Kerberoasting

Rubeus can use the KerberosRequestorSecurityToken.GetRequest method to request kerberoastable service tickets.[1]
.004 Steal or Forge Kerberos Tickets: AS-REP Roasting

Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.[1][3][4]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[5]
G1054 MirrorFace

[6][7]

Campaigns

ID Name Description
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries used the Rubeus tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket.[8][9]
C0060 Operation AkaiRyū

During Operation AkaiRyū, MirrorFace used Rubeus.[7]

References

  1. Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.
  2. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  3. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  4. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  5. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  1. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  2. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
  3. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  4. ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.