Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

klist is the verbose counterpart to triage. Where triage produces a compact summary table, klist prints each ticket in a structured multi-line block that includes the service principal name, client name, realm, start time, end time, renew-till time, ticket flags, and session key encryption type. This makes it the right tool when you need to assess the health of a ticket, verify its flags (e.g. forwardable, renewable, pre-authent), or note exact expiry timestamps. Like triage, it is scoped to the current logon session without elevation and expands to all sessions when run in a high-integrity process.

Flags

/luid
string
Restrict output to a single logon session identified by its LUID in hex (e.g. 0x3e4). All other sessions are silently skipped.
/user
string
Filter output to sessions owned by the specified username. Case-insensitive substring match.
/service
string
Filter output to tickets whose service name matches the supplied string (e.g. krbtgt, cifs, http). Case-insensitive prefix match.
/server
string
Filter output to tickets targeting a specific server hostname (e.g. dc01.corp.local).

Examples

List all tickets in the current session

Prints the full detail block for every ticket the current process can see:
Rubeus.exe klist

List tickets for all users (elevated)

Elevation automatically widens the scope to every logon session on the system:
Rubeus.exe klist

Filter to TGTs only

Use the /service filter to limit output to krbtgt tickets, which are TGTs:
Rubeus.exe klist /service:krbtgt

Inspect a single logon session

Combine with /luid to see the detailed ticket list for one specific session:
Rubeus.exe klist /luid:0x4f2b1a
klist and triage enumerate the same ticket data via the same underlying EnumerateTickets call — the only difference is the display format (Klist vs Triage). Use triage when you want a quick overview across many sessions and klist when you need full field-level detail on each ticket.
The Flags field in the klist output maps directly to the KDC-issued Kerberos ticket flags. A value of name_canonicalize, pre_authent, renewable, forwardable is the normal set for a healthy TGT. Missing forwardable can indicate constrained environments.

Build docs developers (and LLMs) love