Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
klist is the verbose counterpart to triage. Where triage produces a compact summary table, klist prints each ticket in a structured multi-line block that includes the service principal name, client name, realm, start time, end time, renew-till time, ticket flags, and session key encryption type. This makes it the right tool when you need to assess the health of a ticket, verify its flags (e.g. forwardable, renewable, pre-authent), or note exact expiry timestamps. Like triage, it is scoped to the current logon session without elevation and expands to all sessions when run in a high-integrity process.
Flags
Restrict output to a single logon session identified by its LUID in hex (e.g.
0x3e4). All other sessions are silently skipped.Filter output to sessions owned by the specified username. Case-insensitive substring match.
Filter output to tickets whose service name matches the supplied string (e.g.
krbtgt, cifs, http). Case-insensitive prefix match.Filter output to tickets targeting a specific server hostname (e.g.
dc01.corp.local).Examples
List all tickets in the current session
Prints the full detail block for every ticket the current process can see:List tickets for all users (elevated)
Elevation automatically widens the scope to every logon session on the system:Filter to TGTs only
Use the/service filter to limit output to krbtgt tickets, which are TGTs:
Inspect a single logon session
Combine with/luid to see the detailed ticket list for one specific session:
klist and triage enumerate the same ticket data via the same underlying EnumerateTickets call — the only difference is the display format (Klist vs Triage). Use triage when you want a quick overview across many sessions and klist when you need full field-level detail on each ticket.