Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

A diamond ticket starts life as a legitimate TGT obtained from the KDC — using a password, hash, certificate, or the tgtdeleg delegation trick — and then has its PAC decrypted and modified in-place before being re-encrypted with the KRBTGT key. Because the KDC issued the underlying ticket, the ticket number (nonce), encryption type, and overall structure are genuine. Only the PAC fields (username, user ID, group memberships, extra SIDs) are changed. This makes diamond tickets substantially harder to detect than golden tickets: they carry a real KDC-assigned ticket number and use the domain’s actual supported encryption types.

Base TGT Acquisition Modes

ModeRequired flagsDescription
Password / hash/user + (/password or /des//rc4//aes128//aes256)Request a TGT using AS-REQ with the supplied credential
Certificate/user + /certificate (+ /password for PFX store password)Request a TGT via PKINIT using a PKCS12 certificate
tgtdeleg/tgtdelegObtain a usable TGT for the current user by abusing Kerberos GSS-API delegation without any credentials

Flag Reference

User Identity

/user
USER
Username for the AS-REQ. Accepts DOMAIN\user format; the domain component also sets /domain. Required for password, hash, and certificate modes. Not used with /tgtdeleg.

Credential (pick one, or use /certificate / /tgtdeleg)

/password
PASSWORD
Plaintext password. Rubeus derives the correct hash from the password and domain/username salt, including computer account and SAM-spoofing edge cases. Use /enctype alongside /password to select the desired AS-REQ encryption type.
/des
HASH
DES (des_cbc_md5) key for the AS-REQ.
/rc4
HASH
RC4/NTLM key for the AS-REQ. Alias: /ntlm.
/ntlm
HASH
Alias for /rc4. RC4/NTLM key for the AS-REQ.
/aes128
HASH
AES-128 key for the AS-REQ.
/aes256
HASH
AES-256 key for the AS-REQ.
/enctype
DES|RC4|AES128|AES256
Explicitly specify the encryption type for the AS-REQ when using /password. Accepts DES, RC4, NTLM, AES128, AES256, or AES.

Certificate Mode

/certificate
PATH
Path to a PKCS12 (.pfx) certificate file used to request the TGT via PKINIT. Supply the certificate store password with /password if the PFX is password-protected.

Delegation Mode

/tgtdeleg
flag
Obtain the base TGT using tgtdeleg (Kerberos GSS-API fake delegation) without supplying any credentials. The current user’s session key is used; no elevated privileges are required to obtain the ticket.

SAM Spoofing

/oldsam
USERNAME
When using /password with a computer account whose sAMAccountName was previously spoofed (CVE-2021-42278), supply the old sAMAccountName here so that the correct Kerberos AES salt is computed.

PAC Re-signing

/krbkey
HASH
KRBTGT key used to re-sign the modified PAC’s ServerChecksum and KDCChecksum. Required for the modified PAC to be accepted by domain controllers. Without this, the ticket will fail PAC validation.

PAC Modification

/ticketuser
USERNAME
Username to inject into the PAC’s EffectiveName, ClientName, and UpnDns fields, replacing the real user. The ticket’s cname and enc_part.ticket_info[0].pname are updated to match.
/ticketuserid
USER_ID
RID to write into the PAC UserId field. Also updates the Requestor and UpnDns SID fields when the UPN DNS buffer carries an extended SID.
/groups
GROUP_IDS
Comma-separated group RIDs to replace the real group membership list in the PAC. Defaults to 520,512,513,519,518 (Domain Admins, Enterprise Admins, etc.).
/sids
EXTRA_SIDS
Comma-separated SIDs added to the ExtraSids PAC field for cross-domain access or SID history abuse.

Domain and DC

/domain
DOMAIN
Fully-qualified domain name. Resolved from /user if supplied in DOMAIN\user format.
/dc
DOMAIN_CONTROLLER
Hostname or IP of the domain controller to send the AS-REQ to.

Logon Session Targeting

/luid
LUID
Target a specific logon session LUID when injecting the ticket. Requires high-integrity (elevated) context.
/createnetonly
PATH
Create a new hidden process using CreateProcessWithLogonW (LOGON_NETCREDENTIALS_ONLY) and apply the forged ticket to its new logon session. Requires high integrity. The created process’s LUID is used automatically.
/show
flag
Make the process created by /createnetonly visible rather than hidden.

Output and Injection

/outfile
FILENAME
Write the resulting .kirbi to this file (suffixed with timestamp and user/service names).
/ptt
flag
Inject the forged ticket into the current (or /luid-targeted) logon session via LSASS (pass-the-ticket).

Usage Examples

Rubeus.exe diamond /user:jdoe /password:Summer2024! /domain:corp.example.com /krbkey:9E1A3A96E2E1B53A31393AE3F45A5B5F7AC01A5D4B93E9A8F3B2C6D8E7F0A2B4 /ticketuser:Administrator /ticketuserid:500 /groups:520,512,513,519,518 /ptt
Diamond tickets are strongly preferred over golden tickets in modern Active Directory environments. A golden ticket is built entirely offline and has no corresponding entry in the KDC’s ticket database, so its nonce, ticket number, and session key are entirely synthetic — a discrepancy that sophisticated detections can flag. A diamond ticket carries the KDC’s real nonce, is associated with a genuine AS-REQ log entry (event 4768), and uses the domain’s actual negotiated encryption type. The only modification is the PAC content, which is never logged by Windows. When the KRBTGT key is known, always prefer diamond over golden for reduced forensic footprint.

Build docs developers (and LLMs) love