Invoke-Rubeus - Empire Module

This page contains detailed information about how to use the powershell/credentials/rubeus Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-Rubeus
Module: powershell/credentials/rubeus
Source code [1]: empire/server/modules/powershell/credentials/rubeus.yaml
Source code [2]: empire/server/data/module_source/credentials/Invoke-Rubeus.ps1
MITRE ATT&CK: T1208, T1097
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

The rubeus module rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the rubeus module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the rubeus module:

Agent
Agent to run module on.

Additional Module Options

---

This is a list of additional options that are supported by the rubeus module:

Command
Use available Rubeus commands as a one-liner.

Rubeus Example Usage

---

Here's an example of how to use the rubeus module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/rubeus

 Author       @harmj0y                                                               
              @S3cur3Th1sSh1t                                                        
 Background   False                                                                  
 Comments     https://github.com/GhostPack/Rubeus                                    
              https://github.com/S3cur3Th1sSh1t/PowerSharpPack                       
 Description  Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is  
              heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0   
              license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 
              license). Full credit goes to Benjamin and Vincent for working out the 
              hard components of weaponization- without their prior work this        
              project would not exist.                                               
 Language     powershell                                                             
 Name         powershell/credentials/rubeus                                          
 NeedsAdmin   False                                                                  
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1208                               
              http://attack.mitre.org/techniques/T1097                               


,Record Options---,----------,------------------------------------,
| Name    | Value | Required | Description                        |
|---------|-------|----------|------------------------------------|
| Agent   |       | True     | Agent to run module on.            |
|---------|-------|----------|------------------------------------|
| Command |       | False    | Use available Rubeus commands as a |
|         |       |          | one-liner.                         |
'---------'-------'----------'------------------------------------'

(Empire: usemodule/powershell/credentials/rubeus) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/rubeus) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @harmj0y
• @S3cur3Th1sSh1t

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/rubeus.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/Invoke-Rubeus.ps1
• https://github.com/GhostPack/Rubeus
• https://github.com/S3cur3Th1sSh1t/PowerSharpPack
• http://attack.mitre.org/techniques/T1208
• http://attack.mitre.org/techniques/T1097

See Also

---

Check also the following modules related to this module:

• powershell/credentials/vault_credential
• powershell/credentials/invoke_kerberoast
• powershell/credentials/DomainPasswordSpray
• powershell/credentials/sessiongopher
• powershell/credentials/invoke_internal_monologue
• powershell/credentials/powerdump
• powershell/credentials/enum_cred_store
• powershell/credentials/invoke_ntlmextract
• powershell/credentials/get_lapspasswords
• powershell/credentials/sharpsecdump
• powershell/credentials/credential_injection
• powershell/credentials/tokens
• powershell/credentials/mimikatz/pth
• powershell/credentials/mimikatz/silver_ticket
• powershell/credentials/mimikatz/cache
• powershell/credentials/mimikatz/command
• powershell/credentials/mimikatz/terminal_server
• powershell/credentials/mimikatz/extract_tickets
• powershell/credentials/mimikatz/keys
• powershell/credentials/mimikatz/sam
• powershell/credentials/mimikatz/trust_keys
• powershell/credentials/mimikatz/purge
• powershell/credentials/mimikatz/logonpasswords
• powershell/credentials/mimikatz/certs
• powershell/credentials/mimikatz/dcsync
• powershell/credentials/mimikatz/lsadump
• powershell/credentials/mimikatz/mimitokens
• powershell/credentials/mimikatz/golden_ticket
• powershell/credentials/mimikatz/dcsync_hashdump

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.