I'm currently trying to mimic the behaviour of Windows' Smartcard authentication, but Rubeus and asktgt acts differently, causing detection by Defender for Identity (MDI). The /opsec flag tries to mimic the smartcard behaviour as observed with Wireshark, but only when no certificate is used to authenticate (Kerberos' PKINIT extension).

This can be seen here (https://github.com/GhostPack/Rubeus/blob/master/Rubeus/Commands/Asktgt.cs#L258), where the opsec variable, populated by the /opsec flag, is not passed to the overloaded Ask.TGT function. Especially the AS-REQ without pre-authentication, which is usually issued when using smartcard auth, is missing.

I might find some time next week to fix this myself.