Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
On-Demand Webinar

Rubeus Createnetonly (Kerberos)

Tools
May 4, 2021 12:00 AM
CST
Online
On-Demand Webinar

Rubeus Createnetonly (Kerberos)

Detection Strategies

Overview of Rubeus createnetonly

The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

Credential Access

Splunk

Kerberoasting

Steal or Forge Kerberos Tickets

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2025 Anvilogic. All Rights Reserved.
Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
White Paper

Rubeus Createnetonly (Kerberos)

Tools
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2025 Anvilogic. All Rights Reserved.
Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
May 4, 2021

Rubeus Createnetonly (Kerberos)

Tools
No items found.

Overview of Rubeus createnetonly

The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

Credential Access

Splunk

Kerberoasting

Steal or Forge Kerberos Tickets

Resources

No items found.

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want

Book a Demo