TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
createnetonly command calls CreateProcessWithLogonW with the LOGON32_LOGON_NEW_CREDENTIALS flag, which allocates a fresh logon session for the new process without touching the caller’s session. Network authentication from the new process uses the credentials supplied to createnetonly, while interactive authentication still uses the caller’s identity. This is the same mechanism that runas /netonly exploits and it is the foundation Rubeus uses when other commands (such as asktgt) need a clean session to inject a resulting ticket into.
Flags
Full path to the executable to launch. Quote the path if it contains spaces (e.g.
"C:\Windows\System32\cmd.exe").Display the spawned process window. By default the window is hidden.
Username for the new logon session. Must be combined with
/password and /domain; all three are required when supplying explicit credentials.Domain for the explicit credentials (e.g.
CORP). Required when /username is set.Password for the explicit credentials. Required when
/username is set.A base64-encoded
.kirbi blob or path to a .kirbi file to inject into the new logon session immediately after the process starts.When
/username, /password, and /domain are all omitted, Rubeus generates random values. The process still receives a new, isolated logon session — the random credentials are never actually validated against a domain controller.Examples
Create a hidden cmd.exe with random credentials
The most common use: open a sacrificial session in the background, then inject a ticket into it with a subsequentptt call or by passing /ticket.
Create a visible process window
Add/show to bring the process window to the foreground so you can interact with it directly.
Create a process and inject a ticket immediately
Pass a.kirbi file (or base64 blob) with /ticket to inject the ticket into the new session as part of the same operation.
Create a process with specific credentials
Supply all three of/username, /domain, and /password to stamp the new logon session with real — or crafted — credentials for network authentication.