A golden ticket is a forged Kerberos TGT signed with the KRBTGT account’s secret key. Because every domain controller trusts tickets encrypted with the KRBTGT key, a valid golden ticket grants the holder arbitrary access to any service in the domain for the ticket’s lifetime — even if the underlying account does not exist. Rubeus’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
golden command builds the full PAC from scratch, either by querying Active Directory over LDAP to pull real user attributes or by accepting each field explicitly on the command line.
Modes
LDAP mode (/ldap) connects to the domain controller and populates the PAC with the target user’s real objectSid, group memberships, password policy fields, display name, logon timestamps, and NetBIOS domain name. This produces a ticket that is virtually indistinguishable from a genuine TGT. Any field retrieved from LDAP can be overridden by passing the corresponding flag alongside /ldap.
Explicit mode (without /ldap) requires at minimum /domain and /sid. All other PAC fields default to common administrative values (UserId 500, groups 512/513/518/519/520, NORMAL_ACCOUNT UAC) and can be overridden individually.
Flag Reference
Cryptographic Key (required — pick one)
DES (
des_cbc_md5) key for the KRBTGT account.RC4/NTLM key for the KRBTGT account. Alias:
/ntlm.Alias for
/rc4. RC4/NTLM key for the KRBTGT account.AES-128 key for the KRBTGT account.
AES-256 key for the KRBTGT account. Preferred for operational use.
Explicitly specify the encryption type when the key is provided via another flag. Accepts
DES, RC4, NTLM, AES128, AES256, or AES.Identity (required)
Username to embed in the ticket. Accepts
DOMAIN\user format, in which case the domain component also sets /domain.LDAP Auto-fill
Query Active Directory over LDAPS (falling back to LDAP) to automatically populate all PAC fields for the specified user. Requires
/user and resolves the domain from the current session if /domain is not provided.Alternate credential username (in
domain.com\user format) for the LDAP query. Must be paired with /credpassword.Password for the alternate LDAP credential specified by
/creduser.Domain and DC
Fully-qualified domain name (e.g.
corp.example.com). Required in explicit mode; optional override in LDAP mode.Domain SID (e.g.
S-1-5-21-...). Required in explicit mode. In LDAP mode this is derived from the user’s objectSid.Hostname or IP of the domain controller to use for LDAP queries and as the ticket’s
LogonServer.NetBIOS domain name stored in the PAC
LogonDomainName field (e.g. CORP). Auto-resolved from LDAP when /ldap is used.PAC Identity Fields
Full display name written to the PAC
FullName field. Note: the source uses the key /displayname (not /dispalyname).Relative identifier (RID) of the user. Defaults to
500 (Administrator) in explicit mode.Primary group RID. Defaults to
513 (Domain Users).Comma-separated list of group RIDs to embed in the PAC (e.g.
520,512,513,519,518). Defaults to the five standard Domain Admins/Enterprise Admins groups in explicit mode.Comma-separated extra SIDs added to the
ExtraSids PAC field. Useful for cross-domain SID history attacks or adding universal group memberships.SID of the resource domain for resource group membership. Must be paired with
/resourcegroups.Comma-separated resource group RIDs within the domain identified by
/resourcegroupsid.PAC Logon and Password Timestamps
Last logon time written to the PAC
LogonTime field. Accepts a local-time string (e.g. "01/01/2024 08:00:00").Logoff time written to the PAC
LogoffTime field. Accepts a local-time string.Password last set time written to the PAC
PasswordLastSet field. Accepts a local-time string.Maximum password age in days, used to compute the PAC
PasswordMustChange field relative to /pwdlastset.Minimum password age in days, used to compute the PAC
PasswordCanChange field relative to /pwdlastset.Logon count written to the PAC
LogonCount field.Bad-password count written to the PAC
BadPasswordCount field.PAC Profile Fields
Home directory path written to the PAC
HomeDirectory field.Home drive letter written to the PAC
HomeDirectoryDrive field (e.g. H:).Profile path written to the PAC
ProfilePath field.Logon script path written to the PAC
LogonScript field.PAC Behavioural Fields
Comma-separated
PacUserAccountControl flags (e.g. NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD). Defaults to NORMAL_ACCOUNT.Comma-separated Kerberos ticket flags. Defaults to
forwardable,renewable,pre_authent,initial.Timestamps
Ticket start time as a local-time string (e.g.
"01/01/2024 08:00:00"). Defaults to current UTC time.Ticket end time as a duration relative to start time (e.g.
10h, 7d).Renew-till time as a duration relative to start time.
Authentication time embedded in the ticket. Defaults to the start time.
Generate a series of tickets from
/starttime up to this end point. Each ticket is spaced by /rangeinterval.Interval between tickets when using
/rangeend. Defaults to 1d.PAC Format
Use the legacy PAC format (without the
Attributes and Requestor sections introduced in newer Windows versions).Include the extended UPN and DNS info (SAM name and SID) in the
UpnDns PAC buffer.RODC Key List Tickets
RODC key version number. When set, the ticket’s
kvno is shifted left 16 bits to produce a Key List–style golden ticket suitable for RODC scenarios.Output and Injection
Print a Rubeus command line that reproduces the forged ticket from explicit values. Especially useful after a
/ldap run to avoid future LDAP contact.Write the resulting
.kirbi to this file. The actual filename is suffixed with a timestamp and user/service names.Inject the forged ticket directly into the current logon session via LSASS (pass-the-ticket).