Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Monitor for new Kerberos TGTs (4624 logon events) and automatically extract them as they appear. This command provides real-time credential harvesting capabilities by watching for authentication events and capturing tickets from new logon sessions.

Syntax

Rubeus.exe monitor [options]

Optional Parameters

interval
number
Monitoring interval in seconds (default: 60)
filteruser
string
Filter by specific username pattern
targetuser
string
Target specific username only
nowrap
boolean
Don’t wrap base64 output
registry
boolean
Monitor registry for new tickets

Examples

# Monitor with default settings
Rubeus.exe monitor

# Custom monitoring interval
Rubeus.exe monitor /interval:30

# Filter by username pattern
Rubeus.exe monitor /filteruser:admin

Monitoring Mechanisms

Event-Based Detection:
  • Monitors for 4624 logon events
  • Detects new authentication sessions
  • Tracks interactive and network logons
  • Identifies service account authentications
Real-Time Processing:
  • Automatic ticket extraction upon detection
  • Immediate analysis and storage
  • Continuous background operation
  • Minimal resource consumption
Ticket Storage Detection:
  • Monitors LSA ticket cache locations
  • Detects new ticket entries
  • Tracks ticket cache modifications
  • Alternative detection method
Enhanced Coverage:
  • Catches missed logon events
  • Provides redundant detection
  • Covers edge cases
  • Improves reliability

Use Cases

Long-Term Collection:
  • Deploy for extended monitoring periods
  • Capture credentials from various users
  • Build comprehensive credential database
  • Support long-term access operations
Stealth Operations:
  • Passive monitoring approach
  • Minimal system interaction
  • Reduced detection probability
  • Background collection capabilities
Immediate Exploitation:
  • Capture admin logons as they occur
  • Enable rapid privilege escalation
  • Support time-sensitive operations
  • Maximize attack windows
Event-Driven Actions:
  • Trigger additional attacks automatically
  • Chain with other tools and scripts
  • Enable reactive attack strategies
  • Support automation frameworks

Filtering and Targeting

Pattern Matching:
  • Use wildcard patterns for usernames
  • Filter administrative accounts
  • Target service account patterns
  • Exclude low-value accounts
Examples:
# Target admin accounts
Rubeus.exe monitor /filteruser:*admin*

# Target service accounts
Rubeus.exe monitor /filteruser:svc_*

# Target specific domain
Rubeus.exe monitor /filteruser:CORP\\*
High-Value Accounts:
  • Domain administrators
  • Service accounts with delegation
  • Application service accounts
  • Cross-domain trust accounts
Operational Priorities:
  • Focus on privilege escalation paths
  • Target lateral movement opportunities
  • Identify persistence mechanisms
  • Support specific attack objectives

Output and Storage

Automatic Processing:
  • Extract TGT immediately upon detection
  • Display ticket information
  • Store in base64 format
  • Provide ready-to-use format
Information Display:
# Example output
[*] 10/25/2024 2:15:30 PM UTC - 4624 logon event
[*] Target user     : CORP\admin
[*] Target LUID     : 0x54321
[*] Service ticket  : krbtgt/CORP.LOCAL

[*] Base64(ticket.kirbi):
doIFujCCBbagAwIBBaEDAgEWooIE...
External Tool Integration:
  • Pipe output to other tools
  • Save to files for later use
  • Format for automated processing
  • Support scripted workflows
Workflow Examples:
# Save all monitored tickets
Rubeus.exe monitor > captured_tickets.txt

# Filter and process specific accounts
Rubeus.exe monitor /filteruser:admin | findstr "Base64"

Operational Considerations

Resource Usage:
  • Minimal CPU overhead
  • Low memory footprint
  • Efficient event processing
  • Configurable monitoring intervals
System Impact:
  • Non-intrusive monitoring
  • No process injection
  • Standard API usage
  • Minimal detection footprint
Long-Term Deployment:
  • Run as background service
  • Integrate with startup scripts
  • Deploy via scheduled tasks
  • Support persistent access
Maintenance:
  • Log rotation considerations
  • Storage management
  • Performance monitoring
  • Error handling and recovery

Detection and Evasion

Potential Indicators:
  • Process monitoring event logs
  • Unusual registry access patterns
  • Continuous background processes
  • Network authentication anomalies
Monitoring Patterns:
  • Long-running background processes
  • Repeated LSA interactions
  • Event log access patterns
  • File system monitoring activities
Operational Security:
  • Vary monitoring intervals
  • Use realistic process names
  • Limit monitoring duration
  • Correlate with normal activities
Technical Evasion:
  • Deploy from legitimate directories
  • Use process hollowing or injection
  • Implement anti-analysis techniques
  • Employ encryption for output

Integration Workflows

Complete Harvesting Workflow:
# 1. Start monitoring
Rubeus.exe monitor /filteruser:admin /interval:30

# 2. Captured tickets automatically displayed
# Copy base64 output for use

# 3. Use captured tickets immediately
Rubeus.exe ptt /ticket:captured_base64...

# 4. Perform operations with captured credentials
Focused Collection:
# 1. Target specific high-value account
Rubeus.exe monitor /targetuser:domainadmin

# 2. Wait for target authentication
# Monitor displays ticket when available

# 3. Immediate exploitation
Rubeus.exe ptt /ticket:admin_tgt...
  • dump - Extract existing tickets
  • triage - Survey current tickets
  • ptt - Use monitored tickets
  • klist - Verify extracted tickets