Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[1][2][3][4]

ID: S1071
Type: TOOL
Platforms: Windows
Contributors: Mayuresh Dani, Qualys; Akshat Pradhan, Qualys
Version: 1.1
Created: 29 March 2023
Last Modified: 03 August 2023

Techniques Used

Domain ID Name Use
Enterprise T1482 Domain Trust Discovery

Rubeus can gather information about domain trusts.[3][4]

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Rubeus can forge a ticket-granting ticket.[1]

.002 Steal or Forge Kerberos Tickets: Silver Ticket

Rubeus can create silver tickets.[1]

.003 Steal or Forge Kerberos Tickets: Kerberoasting

Rubeus can use the KerberosRequestorSecurityToken.GetRequest method to request kerberoastable service tickets.[1]

.004 Steal or Forge Kerberos Tickets: AS-REP Roasting

Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.[1][3][4]

Groups That Use This Software

ID Name References
G0102 Wizard Spider