| Threats + Use Case

Rubeus createnetonly (Kerberos)

Hacking/Unauthorized Access

Overview of Rubeus createnetonly

The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.

 

References

 

Tags

Defense Evasion
Privilege Escalation
Credential Access
Splunk
Kerberoasting
Steal or Forge Kerberos Tickets

Categories: ,

Credential Access, Defense Evasion, Kerberoasting, Privilege Escalation, Splunk, Use Cases