TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
renew command sends a TGS-REQ with the renew flag set, asking the KDC to issue a fresh TGT derived from an existing one. Kerberos tickets carry a renew-till timestamp set at issuance; as long as the current time is before that limit, the KDC will extend the ticket’s validity window without requiring fresh credentials. This is useful for long-running operations where the initial TGT lifetime (typically 10 hours) is insufficient. Use /autorenew to have Rubeus loop in the background and keep the ticket alive until the domain’s maximum renewal period is exhausted.
Flag Reference
The TGT to renew, supplied as a base64-encoded
.kirbi blob or a file path to a .kirbi file. Rubeus auto-detects the format.Hostname or IP address of the domain controller to send the renewal request to. When omitted, Rubeus uses the DC resolved from the ticket’s realm or the machine’s domain.
Path to write the renewed TGT as a
.kirbi file. If omitted, the renewed ticket is printed as a base64 blob to stdout.Pass the renewed ticket directly into the current logon session using
LsaCallAuthenticationPackage. No file is written. Note: /ptt is not used in /autorenew mode — in that mode Rubeus loops internally and does not inject.Continuously renew the TGT in a loop, sleeping between renewals, until the ticket’s
renew-till timestamp is reached and the KDC rejects the renewal. Rubeus calculates the sleep interval from the ticket’s remaining validity window. When this flag is set, /outfile and /ptt are ignored.Suppress line-wrapping of the base64 ticket blob in console output. Useful when copying output programmatically.