Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The createnetonly command calls CreateProcessWithLogonW with the LOGON32_LOGON_NEW_CREDENTIALS flag, which allocates a fresh logon session for the new process without touching the caller’s session. Network authentication from the new process uses the credentials supplied to createnetonly, while interactive authentication still uses the caller’s identity. This is the same mechanism that runas /netonly exploits and it is the foundation Rubeus uses when other commands (such as asktgt) need a clean session to inject a resulting ticket into.

Flags

/program
string
required
Full path to the executable to launch. Quote the path if it contains spaces (e.g. "C:\Windows\System32\cmd.exe").
/show
flag
Display the spawned process window. By default the window is hidden.
/username
string
Username for the new logon session. Must be combined with /password and /domain; all three are required when supplying explicit credentials.
/domain
string
Domain for the explicit credentials (e.g. CORP). Required when /username is set.
/password
string
Password for the explicit credentials. Required when /username is set.
/ticket
string
A base64-encoded .kirbi blob or path to a .kirbi file to inject into the new logon session immediately after the process starts.
When /username, /password, and /domain are all omitted, Rubeus generates random values. The process still receives a new, isolated logon session — the random credentials are never actually validated against a domain controller.

Examples

Create a hidden cmd.exe with random credentials

The most common use: open a sacrificial session in the background, then inject a ticket into it with a subsequent ptt call or by passing /ticket.
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe"

Create a visible process window

Add /show to bring the process window to the foreground so you can interact with it directly.
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

Create a process and inject a ticket immediately

Pass a .kirbi file (or base64 blob) with /ticket to inject the ticket into the new session as part of the same operation.
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show /ticket:C:\tickets\jdoe.kirbi

Create a process with specific credentials

Supply all three of /username, /domain, and /password to stamp the new logon session with real — or crafted — credentials for network authentication.
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show /username:jdoe /domain:CORP /password:Summer2024!
The LUID of the new logon session is printed to the console after the process is created. Record it and pass it to /luid in subsequent ptt, dump, or triage commands to target that specific session.

Build docs developers (and LLMs) love