Blog

Upcoming Webinar

On-Demand Webinar

On-Demand Webinar

Blog

2021-05-04

Rubeus Createnetonly (Kerberos)

Rubeus Createnetonly (Kerberos)

Overview of Rubeus createnetonly

The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.

References

https://github.com/GhostPack/Rubeus#createnetonly

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

Credential Access

Splunk

Kerberoasting

Steal or Forge Kerberos Tickets

Chat with our team to receive a free maturity assessment

You May Also Like

Forge Charged News: The Most Electrifying News From August 2023

Defending Against MFA Attack Techniques

Ready to learn more about Anvilogic?

Kickstart your security operations

Contact Sales Request Demo

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.

Lucas Moody

CISO, formerly Twitter

Contact Sales Request Demo