Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

A golden ticket is a forged Kerberos TGT signed with the KRBTGT account’s secret key. Because every domain controller trusts tickets encrypted with the KRBTGT key, a valid golden ticket grants the holder arbitrary access to any service in the domain for the ticket’s lifetime — even if the underlying account does not exist. Rubeus’s golden command builds the full PAC from scratch, either by querying Active Directory over LDAP to pull real user attributes or by accepting each field explicitly on the command line.

Modes

LDAP mode (/ldap) connects to the domain controller and populates the PAC with the target user’s real objectSid, group memberships, password policy fields, display name, logon timestamps, and NetBIOS domain name. This produces a ticket that is virtually indistinguishable from a genuine TGT. Any field retrieved from LDAP can be overridden by passing the corresponding flag alongside /ldap. Explicit mode (without /ldap) requires at minimum /domain and /sid. All other PAC fields default to common administrative values (UserId 500, groups 512/513/518/519/520, NORMAL_ACCOUNT UAC) and can be overridden individually.

Flag Reference

Cryptographic Key (required — pick one)

/des
HASH
DES (des_cbc_md5) key for the KRBTGT account.
/rc4
HASH
RC4/NTLM key for the KRBTGT account. Alias: /ntlm.
/ntlm
HASH
Alias for /rc4. RC4/NTLM key for the KRBTGT account.
/aes128
HASH
AES-128 key for the KRBTGT account.
/aes256
HASH
AES-256 key for the KRBTGT account. Preferred for operational use.
/enctype
DES|RC4|AES128|AES256
Explicitly specify the encryption type when the key is provided via another flag. Accepts DES, RC4, NTLM, AES128, AES256, or AES.

Identity (required)

/user
USERNAME
Username to embed in the ticket. Accepts DOMAIN\user format, in which case the domain component also sets /domain.

LDAP Auto-fill

/ldap
flag
Query Active Directory over LDAPS (falling back to LDAP) to automatically populate all PAC fields for the specified user. Requires /user and resolves the domain from the current session if /domain is not provided.
/creduser
DOMAIN\USERNAME
Alternate credential username (in domain.com\user format) for the LDAP query. Must be paired with /credpassword.
/credpassword
PASSWORD
Password for the alternate LDAP credential specified by /creduser.

Domain and DC

/domain
DOMAIN
Fully-qualified domain name (e.g. corp.example.com). Required in explicit mode; optional override in LDAP mode.
/sid
DOMAIN_SID
Domain SID (e.g. S-1-5-21-...). Required in explicit mode. In LDAP mode this is derived from the user’s objectSid.
/dc
DOMAIN_CONTROLLER
Hostname or IP of the domain controller to use for LDAP queries and as the ticket’s LogonServer.
/netbios
NETBIOS_DOMAIN
NetBIOS domain name stored in the PAC LogonDomainName field (e.g. CORP). Auto-resolved from LDAP when /ldap is used.

PAC Identity Fields

/displayname
PAC_FULL_NAME
Full display name written to the PAC FullName field. Note: the source uses the key /displayname (not /dispalyname).
/id
USER_ID
Relative identifier (RID) of the user. Defaults to 500 (Administrator) in explicit mode.
/pgid
PRIMARY_GID
Primary group RID. Defaults to 513 (Domain Users).
/groups
GROUP_IDS
Comma-separated list of group RIDs to embed in the PAC (e.g. 520,512,513,519,518). Defaults to the five standard Domain Admins/Enterprise Admins groups in explicit mode.
/sids
EXTRA_SIDS
Comma-separated extra SIDs added to the ExtraSids PAC field. Useful for cross-domain SID history attacks or adding universal group memberships.
/resourcegroupsid
SID
SID of the resource domain for resource group membership. Must be paired with /resourcegroups.
/resourcegroups
GROUP_IDS
Comma-separated resource group RIDs within the domain identified by /resourcegroupsid.

PAC Logon and Password Timestamps

/lastlogon
LOGON_TIMESTAMP
Last logon time written to the PAC LogonTime field. Accepts a local-time string (e.g. "01/01/2024 08:00:00").
/logofftime
LOGOFF_TIMESTAMP
Logoff time written to the PAC LogoffTime field. Accepts a local-time string.
/pwdlastset
PASSWORD_CHANGE_TIMESTAMP
Password last set time written to the PAC PasswordLastSet field. Accepts a local-time string.
/maxpassage
DAYS
Maximum password age in days, used to compute the PAC PasswordMustChange field relative to /pwdlastset.
/minpassage
DAYS
Minimum password age in days, used to compute the PAC PasswordCanChange field relative to /pwdlastset.
/logoncount
INTEGER
Logon count written to the PAC LogonCount field.
/badpwdcount
INTEGER
Bad-password count written to the PAC BadPasswordCount field.

PAC Profile Fields

/homedir
HOMEDIR
Home directory path written to the PAC HomeDirectory field.
/homedrive
HOMEDRIVE
Home drive letter written to the PAC HomeDirectoryDrive field (e.g. H:).
/profilepath
PROFILE_PATH
Profile path written to the PAC ProfilePath field.
/scriptpath
LOGON_SCRIPT_PATH
Logon script path written to the PAC LogonScript field.

PAC Behavioural Fields

/uac
UAC_FLAGS
Comma-separated PacUserAccountControl flags (e.g. NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD). Defaults to NORMAL_ACCOUNT.
/flags
TICKET_FLAGS
Comma-separated Kerberos ticket flags. Defaults to forwardable,renewable,pre_authent,initial.

Timestamps

/starttime
TIMESTAMP
Ticket start time as a local-time string (e.g. "01/01/2024 08:00:00"). Defaults to current UTC time.
/endtime
RELATIVE
Ticket end time as a duration relative to start time (e.g. 10h, 7d).
/renewtill
RELATIVE
Renew-till time as a duration relative to start time.
/authtime
TIMESTAMP
Authentication time embedded in the ticket. Defaults to the start time.
/rangeend
RELATIVE
Generate a series of tickets from /starttime up to this end point. Each ticket is spaced by /rangeinterval.
/rangeinterval
RELATIVE_INTERVAL
Interval between tickets when using /rangeend. Defaults to 1d.

PAC Format

/oldpac
flag
Use the legacy PAC format (without the Attributes and Requestor sections introduced in newer Windows versions).
/extendedupndns
flag
Include the extended UPN and DNS info (SAM name and SID) in the UpnDns PAC buffer.

RODC Key List Tickets

/rodcNumber
RODC_NUM
RODC key version number. When set, the ticket’s kvno is shifted left 16 bits to produce a Key List–style golden ticket suitable for RODC scenarios.

Output and Injection

/printcmd
flag
Print a Rubeus command line that reproduces the forged ticket from explicit values. Especially useful after a /ldap run to avoid future LDAP contact.
/outfile
FILENAME
Write the resulting .kirbi to this file. The actual filename is suffixed with a timestamp and user/service names.
/ptt
flag
Inject the forged ticket directly into the current logon session via LSASS (pass-the-ticket).

Usage Examples

Rubeus.exe golden /aes256:9E1A3A96E2E1B53A31393AE3F45A5B5F7AC01A5D4B93E9A8F3B2C6D8E7F0A2B4 /user:jdoe /ldap /ptt
RC4/NTLM golden tickets (/rc4) trigger Audit: Kerberos Authentication Service event 4769 with encryption type 0x17 (RC4), which is flagged by many SIEMs and EDR solutions as anomalous for modern environments. AES256 tickets (/aes256) match the default encryption type of legitimate TGTs and blend in significantly better. Regardless of encryption type, a golden ticket still carries the tell-tale characteristic of having an unusually long lifetime or an authtime in the distant past if /authtime is not tuned to match expected ranges.

Build docs developers (and LLMs) love