S1071: Rubeus
Analyst context for executives and security teams
Rubeus matters because it is a Windows Kerberos interaction tool associated in ATT&CK with credential-access behaviors such as Kerberoasting, AS-REP Roasting, and forged Kerberos tickets. For leaders, its appearance in an environment should raise questions about Active Directory resilience, privileged access exposure, and whether identity telemetry is strong enough to distinguish legitimate Kerberos activity from abuse.
Executive priority
Prioritize Rubeus as an identity-risk and incident-response readiness issue, not just a malware/tool name. ATT&CK links it to ransomware operations and to campaigns/groups including Operation AkaiRyū, 2025 Poland Wiper Attacks, and Wizard Spider, so the business decision value is validating whether Active Directory, service accounts, domain trusts, and Kerberos logging are governed well enough to support rapid containment and audit evidence during a serious intrusion. This is especially material for organizations where Windows domains support critical operations or cyber-physical environments.
Technical view
SOC and IR teams should treat Rubeus-related leads as potential Kerberos abuse on Windows. Validate coverage around the related ATT&CK techniques: Domain Trust Discovery (T1482), Golden Ticket (T1558.001), Silver Ticket (T1558.002), Kerberoasting (T1558.003), and AS-REP Roasting (T1558.004). Because the ATT&CK object provides no official detection guidance, detection engineering should be driven by local Windows domain controller telemetry, endpoint process evidence, authentication patterns, and account configuration review rather than by assuming a single reliable signature.
Likely telemetry
- Windows domain controller security logs and Kerberos authentication events
- Endpoint process execution and command-line telemetry on Windows systems
- Account and service account configuration data, including SPNs and preauthentication settings
- Directory queries and domain trust enumeration evidence
- Privileged account activity and Kerberos ticket-related anomalies
Detection direction
- Confirm that domain controller and endpoint telemetry is collected, retained, and searchable before relying on detections for Kerberos abuse.
- Tune detections around the related techniques rather than only the tool name, since Kerberos abuse may appear as authentication behavior rather than obvious malware execution.
- Review for unusual service ticket request patterns, activity involving service accounts, accounts without Kerberos preauthentication, and domain trust discovery in the context of the local environment.
- Correlate suspected Rubeus execution with identity events, privilege changes, lateral movement indicators, and ransomware or destructive-attack response playbooks where relevant.
- Account for false positives from administrators, red teams, and identity assessment tools that may legitimately test Kerberos or Active Directory configuration.
Mitigation priorities
- Harden Active Directory and Kerberos fundamentals first: reduce unnecessary privileged access, review service account exposure, and remove weak or unnecessary configurations such as accounts that do not require Kerberos preauthentication where business use does not justify it.
- Inventory and govern SPNs, service accounts, and domain trusts so defenders can distinguish expected Kerberos behavior from discovery or credential-access activity.
- Protect and monitor highly privileged accounts, especially assets whose compromise would enable forged-ticket scenarios such as Golden Ticket activity.
- Ensure incident response plans include identity containment steps, Kerberos-related evidence collection, and decision criteria for credential rotation or domain recovery actions.
- Use tabletop and detection validation exercises to prove that SOC, identity, and infrastructure teams can investigate Kerberos abuse without depending on tool-name alerts alone.
Analyst notes and limits
The strongest defensive value is in mapping Rubeus to Kerberos abuse scenarios and validating identity telemetry. ATT&CK lists Windows as the platform and links the tool to credential-access and discovery techniques. Relationship context also shows use by named campaigns and a group, including ransomware-related reporting in the official description, but local risk depends on the organization’s Active Directory design, logging, and service account practices.
MITRE provides no official detection text for this software object, and tactics are not specified on the tool itself. This take uses only supplied ATT&CK fields, references, and relationships; it does not assert current activity, customer exposure, or guaranteed detection. Environment-specific baselining is required to determine what is suspicious.
Rubeus
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Rubeus can use the `KerberosRequestorSecurityToken.GetRequest` method to request kerberoastable service tickets.CitationGitHub Rubeus March 2023 |
| Enterprise | T1482 | Domain Trust Discovery | Rubeus can gather information about domain trusts.CitationDFIR Ryuk's Return October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020 |
| Enterprise | T1558.002 | Silver Ticket Sub-technique | Rubeus can create silver tickets.CitationGitHub Rubeus March 2023 |
| Enterprise | T1558.004 | AS-REP Roasting Sub-technique | Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.CitationGitHub Rubeus March 2023CitationDFIR Ryuk's Return October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020 |
| Enterprise | T1558.001 | Golden Ticket Sub-technique | Rubeus can forge a ticket-granting ticket.CitationGitHub Rubeus March 2023 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 81e39caa6422… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Rubeus March 2023
Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.
Open source URL -
[2]
FireEye KEGTAP SINGLEMALT October 2020
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Open source URL -
[3]
DFIR Ryuk's Return October 2020
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Open source URL -
[4]
DFIR Ryuk 2 Hour Speed Run November 2020
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
Open source URL -
[5]
mitre-attack S1071Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.