A diamond ticket starts life as a legitimate TGT obtained from the KDC — using a password, hash, certificate, or theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
tgtdeleg delegation trick — and then has its PAC decrypted and modified in-place before being re-encrypted with the KRBTGT key. Because the KDC issued the underlying ticket, the ticket number (nonce), encryption type, and overall structure are genuine. Only the PAC fields (username, user ID, group memberships, extra SIDs) are changed. This makes diamond tickets substantially harder to detect than golden tickets: they carry a real KDC-assigned ticket number and use the domain’s actual supported encryption types.
Base TGT Acquisition Modes
| Mode | Required flags | Description |
|---|---|---|
| Password / hash | /user + (/password or /des//rc4//aes128//aes256) | Request a TGT using AS-REQ with the supplied credential |
| Certificate | /user + /certificate (+ /password for PFX store password) | Request a TGT via PKINIT using a PKCS12 certificate |
| tgtdeleg | /tgtdeleg | Obtain a usable TGT for the current user by abusing Kerberos GSS-API delegation without any credentials |
Flag Reference
User Identity
Username for the AS-REQ. Accepts
DOMAIN\user format; the domain component also sets /domain. Required for password, hash, and certificate modes. Not used with /tgtdeleg.Credential (pick one, or use /certificate / /tgtdeleg)
Plaintext password. Rubeus derives the correct hash from the password and domain/username salt, including computer account and SAM-spoofing edge cases. Use
/enctype alongside /password to select the desired AS-REQ encryption type.DES (
des_cbc_md5) key for the AS-REQ.RC4/NTLM key for the AS-REQ. Alias:
/ntlm.Alias for
/rc4. RC4/NTLM key for the AS-REQ.AES-128 key for the AS-REQ.
AES-256 key for the AS-REQ.
Explicitly specify the encryption type for the AS-REQ when using
/password. Accepts DES, RC4, NTLM, AES128, AES256, or AES.Certificate Mode
Path to a PKCS12 (
.pfx) certificate file used to request the TGT via PKINIT. Supply the certificate store password with /password if the PFX is password-protected.Delegation Mode
Obtain the base TGT using
tgtdeleg (Kerberos GSS-API fake delegation) without supplying any credentials. The current user’s session key is used; no elevated privileges are required to obtain the ticket.SAM Spoofing
When using
/password with a computer account whose sAMAccountName was previously spoofed (CVE-2021-42278), supply the old sAMAccountName here so that the correct Kerberos AES salt is computed.PAC Re-signing
KRBTGT key used to re-sign the modified PAC’s
ServerChecksum and KDCChecksum. Required for the modified PAC to be accepted by domain controllers. Without this, the ticket will fail PAC validation.PAC Modification
Username to inject into the PAC’s
EffectiveName, ClientName, and UpnDns fields, replacing the real user. The ticket’s cname and enc_part.ticket_info[0].pname are updated to match.RID to write into the PAC
UserId field. Also updates the Requestor and UpnDns SID fields when the UPN DNS buffer carries an extended SID.Comma-separated group RIDs to replace the real group membership list in the PAC. Defaults to
520,512,513,519,518 (Domain Admins, Enterprise Admins, etc.).Comma-separated SIDs added to the
ExtraSids PAC field for cross-domain access or SID history abuse.Domain and DC
Fully-qualified domain name. Resolved from
/user if supplied in DOMAIN\user format.Hostname or IP of the domain controller to send the AS-REQ to.
Logon Session Targeting
Target a specific logon session LUID when injecting the ticket. Requires high-integrity (elevated) context.
Create a new hidden process using
CreateProcessWithLogonW (LOGON_NETCREDENTIALS_ONLY) and apply the forged ticket to its new logon session. Requires high integrity. The created process’s LUID is used automatically.Make the process created by
/createnetonly visible rather than hidden.Output and Injection
Write the resulting
.kirbi to this file (suffixed with timestamp and user/service names).Inject the forged ticket into the current (or
/luid-targeted) logon session via LSASS (pass-the-ticket).