Rubeus
Rubeus is a C#-based Kerberos interaction and abuse toolset used in Windows Active Directory environments. The provided content directly associates it with raw Kerberos interaction and abuse, including requesting Kerberos TGTs, crafting or forging Kerberos tickets, Pass-the-Ticket activity, Kerberoasting, AS-REP Roasting, Kerberos ticket export, and gathering information about domain trusts. It is also referenced in certificate-abuse workflows where a forged or compromised certificate is used to request a Kerberos TGT, and in one case adversaries used it to forge a Diamond Ticket. The content also shows Rubeus being executed in memory via Cobalt Strike and appearing as Rubeus.exe or Invoke-Rubeus, with one Sysmon example showing C:\Tools\Rubeus.exe accessing winlogon.exe.
Rubeus is described as publicly available and has been used by multiple threat actors and campaigns in the supplied material. These include Wizard Spider; Vice Society activity observed by Trend Micro; Russia-aligned Sandworm in the December 2025/2026 Poland energy-sector DynoWiper intrusion and broader Poland wiper attacks; the Russian SVR crafting TGTs for long-term access; and Cisco Talos-tracked UAT-8837, assessed with medium confidence as China-nexus, targeting North American critical infrastructure. In these contexts, Rubeus was used for credential access, Kerberos abuse, and Active Directory post-compromise operations. The content also notes attempted downloads of the tool, YARA hits for it in memory captures, and use alongside tools such as Cobalt Strike, Mimikatz, Certipy, BloodHound, AdFind, Impacket, and GoTokenTheft.
Targeting in the provided material is primarily enterprise Windows and on-premises Active Directory environments, including critical infrastructure and energy organizations, as well as manufacturing and other enterprise sectors. High-confidence indicators and artifacts mentioned in the content include the names Rubeus, Invoke-Rubeus, and Rubeus.exe; the path C:\Tools\Rubeus.exe; attempted download to c:\users<USERNAME>\downloads\rubeus.exe; command-line detections tied to Pass-the-Ticket, Kerberoasting, and AS-REP Roasting; unusual Kerberos TGT requests that may indicate Rubeus use following PetitPotam/CVE-2021-36942 exploitation; and a Sysmon Event ID 10 example where Rubeus.exe accessed C:\Windows\system32\winlogon.exe with GrantedAccess 0x1f3fff.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue.
This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam).
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.
The threat actor also used the Rubeus C# toolset for raw Kerberos interaction and abuse...
“To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs).”
“To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs).”
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Persistence
3 techniques
Persistence
These issued certificates can then be used with Rubeus to authenticate to Active Directory as this user, for as long as the certificate is valid.
Table 1 lists the Cortex XDR alerts and the associated MITRE ATT&CK techniques these alerts detect. Alert Name Alert Source ATT&CK Technique Possible Privilege Escalation using Delegated MSA account XDR Analytics, Identity Analytics Account Manipulation (T1098).
We've also implemented support for the /opsec flag in Diamond tickets to ensure the network traffic generated during ticket creation matches genuine Windows Kerberos behavior. When enabled, the AS-REQ/AS-REP exchange follows Windows' standard two-step authentication pattern: first sending an AS-REQ without pre-authentication, then responding to the KDC's PREAUTH_REQUIRED error with a properly formatted pre-authenticated request.
Privilege Escalation
4 techniques
Privilege Escalation
These issued certificates can then be used with Rubeus to authenticate to Active Directory as this user, for as long as the certificate is valid.
Table 1 lists the Cortex XDR alerts and the associated MITRE ATT&CK techniques these alerts detect. Alert Name Alert Source ATT&CK Technique Possible Privilege Escalation using Delegated MSA account XDR Analytics, Identity Analytics Account Manipulation (T1098).
Stealth
3 techniques
Stealth
These issued certificates can then be used with Rubeus to authenticate to Active Directory as this user, for as long as the certificate is valid.
In Conquest, it is possible to use the ptt command to directly inject the ticket into the current logon session to impersonate the target user.
Sliver – We tested ... execute-assembly against Seatbelt and Rubeus ... Watching execute-assembly Rubeus.exe kerberoast complete successfully against a domain controller, through a WASM-bridged COM call into the CLR running a loaded Rubeus assembly, was significantly more rewarding ...
Defense Impairment
2 techniques
Defense Impairment
[*] Delegation rights modified succesfully! [*] S-1-5-21-3104832133-133926542-3798009529-1106 can now impersonate users on WORKSTATION$ via S4U2Proxy
We've also implemented support for the /opsec flag in Diamond tickets to ensure the network traffic generated during ticket creation matches genuine Windows Kerberos behavior. When enabled, the AS-REQ/AS-REP exchange follows Windows' standard two-step authentication pattern: first sending an AS-REQ without pre-authentication, then responding to the KDC's PREAUTH_REQUIRED error with a properly formatted pre-authenticated request.
Credential Access
8 techniques
Credential Access
Tools used by APT29... Their toolkit includes... Mimikatz... Rubeus...
On our low privilege machine, we can use MS-RPRN, as an example, to force the domain controller to connect to WinServ-2022.
We've also implemented support for the /opsec flag in Diamond tickets to ensure the network traffic generated during ticket creation matches genuine Windows Kerberos behavior. When enabled, the AS-REQ/AS-REP exchange follows Windows' standard two-step authentication pattern: first sending an AS-REQ without pre-authentication, then responding to the KDC's PREAUTH_REQUIRED error with a properly formatted pre-authenticated request.
Unlike Golden Tickets, which involve forging a TGT entirely from scratch using only the KRBTGT key and essential metadata, Diamond Tickets take a more “genuine” approach. They begin with a legitimate AS-REQ to the domain controller (DC) to obtain a valid TGT via AS-REP, which is then decrypted, modified (for example, PAC attributes), and re-encrypted using the KRBTGT AES256 key.
They begin with a legitimate AS-REQ to the domain controller (DC) to obtain a valid TGT via AS-REP, which is then decrypted, modified (for example, PAC attributes), and re-encrypted using the KRBTGT AES256 key. | Unlike Golden Tickets, which involve forging a TGT entirely from scratch using only the KRBTGT key and essential metadata, Diamond Tickets take a more “genuine” approach.
Our update allows you to apply the Diamond forgery technique to service tickets, which are normally issued based on a legitimate TGT. With this change, you can now forge a TGS directly using: A legitimate or forged Kerberos ticket blob The AES service key (i.e., the key used to encrypt the service ticket) | Originally limited to TGTs, this advancement calls into question the continued relevance of Silver Tickets, which lack the visible legitimacy of a genuine authentication flow and are easier to detect in modern environments.
Discovery
3 techniques
Discovery
Rubeus extracts the root Active Directory (AD) domain’s Kerberos policies and password policies primarily from the GptTmpl.inf file, which is stored in the SYSVOL directory for Group Policy Objects (GPOs).
Lateral Movement
3 techniques
Lateral Movement
Mounting Process: Uses SMB (port 445) to authenticate to the DC and access SYSVOL. Accesses: \\<DC>\IPC$ → Used for administrative access (initial connection) \\<DC>\SYSVOL → Stores domain-wide GPOs (superseding connection)
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Post-exploitation tool used to forge Kerberos Diamond Tickets for authentication abuse.
Rubeus is referenced as a tool that can request Kerberos TGTs in a suspicious or non-standard manner after PetitPotam exploitation, potentially enabling unauthorized access, privilege escalation, and persistence.
Credential-theft tool used pre-wiper deployment to obtain/abuse credentials in the compromised environment.
A Kerberos abuse and credential theft tool used for token manipulation and related AD credential access techniques.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.