Skip to main content

Overview

Monitor for new Kerberos TGTs (4624 logon events) and automatically extract them as they appear. This command provides real-time credential harvesting capabilities by watching for authentication events and capturing tickets from new logon sessions.

Syntax

Rubeus.exe monitor [options]

Optional Parameters

interval
number
Monitoring interval in seconds (default: 60)
filteruser
string
Filter by specific username pattern
targetuser
string
Target specific username only
nowrap
boolean
Don’t wrap base64 output
registry
boolean
Monitor registry for new tickets

Examples

# Monitor with default settings
Rubeus.exe monitor

# Custom monitoring interval
Rubeus.exe monitor /interval:30

# Filter by username pattern
Rubeus.exe monitor /filteruser:admin

Monitoring Mechanisms

Event-Based Detection:
  • Monitors for 4624 logon events
  • Detects new authentication sessions
  • Tracks interactive and network logons
  • Identifies service account authentications
Real-Time Processing:
  • Automatic ticket extraction upon detection
  • Immediate analysis and storage
  • Continuous background operation
  • Minimal resource consumption
Ticket Storage Detection:
  • Monitors LSA ticket cache locations
  • Detects new ticket entries
  • Tracks ticket cache modifications
  • Alternative detection method
Enhanced Coverage:
  • Catches missed logon events
  • Provides redundant detection
  • Covers edge cases
  • Improves reliability

Use Cases

Long-Term Collection:
  • Deploy for extended monitoring periods
  • Capture credentials from various users
  • Build comprehensive credential database
  • Support long-term access operations
Stealth Operations:
  • Passive monitoring approach
  • Minimal system interaction
  • Reduced detection probability
  • Background collection capabilities
Immediate Exploitation:
  • Capture admin logons as they occur
  • Enable rapid privilege escalation
  • Support time-sensitive operations
  • Maximize attack windows
Event-Driven Actions:
  • Trigger additional attacks automatically
  • Chain with other tools and scripts
  • Enable reactive attack strategies
  • Support automation frameworks

Filtering and Targeting

Pattern Matching:
  • Use wildcard patterns for usernames
  • Filter administrative accounts
  • Target service account patterns
  • Exclude low-value accounts
Examples:
# Target admin accounts
Rubeus.exe monitor /filteruser:*admin*

# Target service accounts
Rubeus.exe monitor /filteruser:svc_*

# Target specific domain
Rubeus.exe monitor /filteruser:CORP\\*
High-Value Accounts:
  • Domain administrators
  • Service accounts with delegation
  • Application service accounts
  • Cross-domain trust accounts
Operational Priorities:
  • Focus on privilege escalation paths
  • Target lateral movement opportunities
  • Identify persistence mechanisms
  • Support specific attack objectives

Output and Storage

Automatic Processing:
  • Extract TGT immediately upon detection
  • Display ticket information
  • Store in base64 format
  • Provide ready-to-use format
Information Display:
# Example output
[*] 10/25/2024 2:15:30 PM UTC - 4624 logon event
[*] Target user     : CORP\admin
[*] Target LUID     : 0x54321
[*] Service ticket  : krbtgt/CORP.LOCAL

[*] Base64(ticket.kirbi):
doIFujCCBbagAwIBBaEDAgEWooIE...
External Tool Integration:
  • Pipe output to other tools
  • Save to files for later use
  • Format for automated processing
  • Support scripted workflows
Workflow Examples:
# Save all monitored tickets
Rubeus.exe monitor > captured_tickets.txt

# Filter and process specific accounts
Rubeus.exe monitor /filteruser:admin | findstr "Base64"

Operational Considerations

Resource Usage:
  • Minimal CPU overhead
  • Low memory footprint
  • Efficient event processing
  • Configurable monitoring intervals
System Impact:
  • Non-intrusive monitoring
  • No process injection
  • Standard API usage
  • Minimal detection footprint
Long-Term Deployment:
  • Run as background service
  • Integrate with startup scripts
  • Deploy via scheduled tasks
  • Support persistent access
Maintenance:
  • Log rotation considerations
  • Storage management
  • Performance monitoring
  • Error handling and recovery

Detection and Evasion

Potential Indicators:
  • Process monitoring event logs
  • Unusual registry access patterns
  • Continuous background processes
  • Network authentication anomalies
Monitoring Patterns:
  • Long-running background processes
  • Repeated LSA interactions
  • Event log access patterns
  • File system monitoring activities
Operational Security:
  • Vary monitoring intervals
  • Use realistic process names
  • Limit monitoring duration
  • Correlate with normal activities
Technical Evasion:
  • Deploy from legitimate directories
  • Use process hollowing or injection
  • Implement anti-analysis techniques
  • Employ encryption for output

Integration Workflows

Complete Harvesting Workflow:
# 1. Start monitoring
Rubeus.exe monitor /filteruser:admin /interval:30

# 2. Captured tickets automatically displayed
# Copy base64 output for use

# 3. Use captured tickets immediately
Rubeus.exe ptt /ticket:captured_base64...

# 4. Perform operations with captured credentials
Focused Collection:
# 1. Target specific high-value account
Rubeus.exe monitor /targetuser:domainadmin

# 2. Wait for target authentication
# Monitor displays ticket when available

# 3. Immediate exploitation
Rubeus.exe ptt /ticket:admin_tgt...
  • dump - Extract existing tickets
  • triage - Survey current tickets
  • ptt - Use monitored tickets
  • klist - Verify extracted tickets