Found a funny way to detect Rubeus. There's a typo in the process name used when calling LsaRegisterLogonProcess, which shows up in the Windows audit logs. Not sure if that was intentional given the code comment right next to it.
Ok, pinvoke.dev is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
Using @rogue_kdc's CVE-2019-084 to backdoor the LAPS AdmPwd DLL and get code exec as SYSTEM on each Group Policy update.
Thanks to @_RythmStick for the idea of targeting LAPS for the priv esc.