infosecn1nja
/
Rubeus
mirror of https://github.com/infosecn1nja/Rubeus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated readme

master
Dwight Hohnstein 2018-10-15 16:27:06 -07:00
parent 11ec233ba5
commit 872379a479
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -760,6 +760,8 @@ The **monitor** action will monitor the event log for 4624 logon events and will
When the /filteruser (or if not specified, any user) creates a new 4624 logon event, any extracted TGT KRB-CRED data is output.
Further, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to create (i.e., `/registry:SOFTWARE\MONITOR`). Then you can remove this entry after you've finished running Rubeus by `Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force`.
c:\Rubeus>Rubeus.exe monitor /filteruser:dfm.a
______ _
@ -822,6 +824,8 @@ The **harvest** action takes monitor one step further. It monitors the event log
This allows you to harvest usable TGTs from a system without opening up a read handle to LSASS, though elevated rights are needed to extract the tickets.
Further, you can pass the /registry flag to save the tickets into the registry for later extraction, such as `/registry:SOFTWARE\HARVEST`. You can remove the registry save data by `Get-Item HKLM:\SOFTWARE\HARVEST\ | Remove-Item -Recurse -Force`.
c:\Rubeus>Rubeus.exe harvest /interval:30
______ _