S1071 Rubeus
Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.1243
| Item | Value |
|---|---|
| ID | S1071 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 29 March 2023 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1482 | Domain Trust Discovery | Rubeus can gather information about domain trusts.43 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.001 | Golden Ticket | Rubeus can forge a ticket-granting ticket.1 |
| enterprise | T1558.002 | Silver Ticket | Rubeus can create silver tickets.1 |
| enterprise | T1558.003 | Kerberoasting | Rubeus can use the KerberosRequestorSecurityToken.GetRequest method to request kerberoastable service tickets.1 |
| enterprise | T1558.004 | AS-REP Roasting | Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.143 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | 5 |
References
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩↩↩
-
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. ↩↩↩
-
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. ↩