High-risk tools in Rubeus MCP Server
17 of the 27 tools in Rubeus MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
rubeus_asktgsExecuteRequest Service Tickets (TGS) for specified Service Principal Names (SPNs). Requires a valid TGT (provided as ticket parameter or from current session). Can request tickets for...
-
rubeus_asktgtExecuteRequest a Ticket Granting Ticket (TGT) using user credentials. Supports multiple authentication methods: - Password-based (cleartext or encrypted) - Hash-based (RC4/NTLM, AES12...
-
rubeus_asrep2kirbiExecuteConvert an AS-REP response to kirbi ticket format. Takes a raw AS-REP response and converts it to a usable kirbi ticket using the provided key.
-
rubeus_asreproastExecutePerform AS-REP Roasting against accounts that don
-
rubeus_changepwExecuteChange/reset a user
-
rubeus_createnetonlyExecuteCreate a new process with network credentials (logon type 9). Creates a process that uses different credentials for network authentication. Useful for applying tickets to a sep...
-
rubeus_diamondExecuteForge a Diamond Ticket (modified legitimate TGT). Requests a legitimate TGT and then modifies it with new PAC data. More stealthy than golden tickets as it starts with a real t...
-
rubeus_goldenExecuteForge a Golden Ticket (forged TGT with krbtgt hash). Creates a TGT that grants domain-wide access. Requires: - Domain SID - krbtgt account hash (RC4 or AES) - Target username a...
-
rubeus_harvestExecuteContinuously monitor for and harvest new TGTs. Runs in a loop, extracting new TGTs as they appear and optionally auto-renewing them to maintain access. Useful for capturing ti...
-
rubeus_hashExecuteCalculate Kerberos password hashes from plaintext. Computes the various Kerberos encryption keys from a password: - RC4_HMAC (NTLM) - AES128_CTS_HMAC_SHA1 - AES256_CTS_HMAC_SHA...
-
rubeus_kerberoastExecutePerform Kerberoasting attack to extract service account password hashes. Requests TGS tickets for accounts with SPNs, which are encrypted with the service account
-
rubeus_pttExecutePass-the-ticket: Apply a Kerberos ticket to the current logon session. Imports a ticket (from base64 or .kirbi file) into the current session, enabling access to resources as t...
-
rubeus_renewExecuteRenew an existing TGT to extend its validity period. Can optionally auto-renew continuously until the renewable lifetime expires. Useful for maintaining persistent access witho...
-
rubeus_s4uExecutePerform S4U (Service for User) constrained/unconstrained delegation abuse. Implements: - S4U2Self: Obtain service ticket to yourself on behalf of another user - S4U2Proxy: Use ...
-
rubeus_silverExecuteForge a Silver Ticket (forged TGS with service account hash). Creates a service ticket for a specific service. Requires: - Service account hash - Service SPN - Domain informati...
-
rubeus_tgssubExecuteSubstitute the service name in a service ticket. Replaces the SPN in an existing TGS with a different service name. Useful when you have a ticket for one service but need acces...
-
rubeus_tgtdelegExecuteExtract a usable TGT for the current user without elevation. Uses Kerberos GSS-API to abuse the delegation mechanism and retrieve the current user
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.