Rubeus Createnetonly (Kerberos)
Rubeus Createnetonly (Kerberos)
Tools
Overview of Rubeus createnetonly
The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.
References
Request Access to Use Case Repository
Tags
Defense Evasion
Privilege Escalation
Credential Access
Splunk
Kerberoasting
Steal or Forge Kerberos Tickets
Chat with our team to receive a free maturity assessment
You May Also Like
Ready to learn more about Anvilogic?
Kickstart your security operations
Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.