Rubeus

Splunk-ShadowRoast

April 14, 2026

Splunk SOC SIEM Log Analysis DFIR Windows Sysmon Active Directory AS-REP Roasting Rubeus Mimikatz Credential Dumping Process Injection Fileless Malware PowerShell RDP

A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.

↑