The Kerberos Service-for-User (S4U) extensions allow a service account to request tickets on behalf of another user. S4U2Self lets a service obtain a service ticket to itself for any user, and S4U2Proxy lets a service use that ticket as evidence to request a ticket for a backend service — the foundation of constrained delegation. Rubeus abuses this chain to impersonate arbitrary users (including domain administrators) against any service that the compromised account is trusted to delegate to. TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
s4u command accepts either an existing TGT (from disk or base64) or a raw password hash, performs the full S4U2Self → S4U2Proxy chain, and optionally injects the resulting ticket directly into the current logon session.
Primary Usage Modes
The command requires either:- Ticket mode:
/ticket:BASE64|FILE— use an existing TGT for the service account. - Hash mode:
/user:USERwith/rc4:HASHor/aes256:HASH— Rubeus first obtains a TGT viaasktgt, then proceeds with the S4U chain.
/impersonateuser (or a pre-existing /tgs) and /msdsspn to define the target.
Flag Reference
Existing TGT for the service account to use, supplied as a base64-encoded
.kirbi blob or a path to a .kirbi file, e.g. /ticket:svc.kirbi. Mutually exclusive with the /user+hash approach.Username of the service account when a TGT is not already available, e.g.
/user:svcSQL. Rubeus will first request a TGT using the supplied hash, then proceed with S4U. Can include a domain prefix (domain\user).RC4 (NT) hash for the service account, used with
/user to obtain a TGT, e.g. /rc4:NTLMHASH. Either /rc4 or /aes256 must be provided in hash mode.AES-256 hash for the service account, used with
/user to obtain a TGT, e.g. /aes256:AESHASH. Preferred over /rc4 for opsec-safe TGT requests.The domain user to impersonate in the S4U2Self request, e.g.
/impersonateuser:Administrator. Cannot be used together with /tgs — supply one or the other.An existing S4U2Self TGS to use directly for the S4U2Proxy step, supplied as a base64 blob or file path, e.g.
/tgs:self.kirbi. Skips the S4U2Self request. The impersonated user is read from the ticket’s cname. Requires /msdsspn.The target SPN to request a delegated ticket for, e.g.
/msdsspn:cifs/fileserver.corp.local. This must match an SPN listed in the service account’s msDS-AllowedToDelegateTo attribute (or the resource’s msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD). Required unless using /self.Substitute a different service class into the final S4U2Proxy ticket without changing the server host, e.g.
/altservice:ldap. Useful for accessing services beyond what is listed in the delegation configuration (requires the KDC to not validate the sname strictly).Domain of the service account, e.g.
/domain:corp.local. Auto-detected from the current environment when omitted.Domain controller to send Kerberos requests to, e.g.
/dc:DC01.corp.local.Domain of the user being impersonated in the S4U2Self request, e.g.
/impersonatedomain:other.local. Use when the impersonated user resides in a different domain from the service account.Target domain for cross-domain S4U delegation, e.g.
/targetdomain:target.corp.local. Used together with /targetdc to route the final S4U2Proxy request to the correct foreign domain.Domain controller in the target domain for cross-domain delegation, e.g.
/targetdc:DC01.target.corp.local. Must be reachable from the attacking host.Write the resulting ticket(s) to a
.kirbi file, e.g. /outfile:admin_cifs.kirbi.Pass the final ticket directly into the current logon session via
LsaCallAuthenticationPackage. After this, the ticket is usable immediately (e.g. dir \\fileserver\share).Prevent base64 ticket blobs from being line-wrapped at 80 characters in console output.
Request S4U tickets in an opsec-safe manner. Adjusts request flags so the resulting tickets more closely resemble those produced by legitimate Windows delegation, reducing the fidelity of event log signatures.
Perform only the S4U2Self step and stop — do not proceed to S4U2Proxy. Produces a service ticket from the compromised service to itself for the impersonated user. Useful for obtaining a forwardable ticket to inject when RBCD is configured.
Execute the Bronze Bit attack (CVE-2020-17049). Flips the forwardable flag in the S4U2Self ticket by re-encrypting it with the service account’s key, enabling S4U2Proxy even when the service is not configured for unconstrained delegation. Requires
/rc4 or /aes256 to re-encrypt.Request tickets without a PAC (Privilege Attribute Certificate). Can be used to bypass certain PAC-based defences or to request tickets for accounts where PAC generation is problematic.
Route Kerberos traffic through a KDC proxy URL, e.g.
/proxyurl:https://kdcproxy.corp.local/kdcproxy. Useful for attacking environments where direct KDC access (TCP/UDP 88) is firewalled.Create a hidden
PROCESS_CREATE_ONLY process at the specified path and inject the ticket into its logon session, e.g. /createnetonly:C:\Windows\System32\cmd.exe. Implicitly enables /ptt for the new process. Use /show to make the spawned window visible.When used with
/createnetonly, makes the spawned process window visible rather than hidden.Usage Examples
Constrained delegation vs RBCD: Classic constrained delegation is configured on the delegating service account — an administrator adds target SPNs to the account’s
msDS-AllowedToDelegateTo attribute, and the KDC enforces the list. Resource-based constrained delegation (RBCD) is configured on the target resource instead — the resource’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute lists which principals may delegate to it. From an attacker’s perspective, RBCD is particularly useful because write access to a computer object is enough to configure it, making it a common post-exploitation path after obtaining GenericWrite or WriteProperty over a machine account.