Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

monitor runs a continuous polling loop that calls LsaEnumerateLogonSessions every /monitorinterval seconds and compares the current TGT set against the previous snapshot. Whenever a new TGT appears — because a user logs in, a service account authenticates, or a scheduled task runs — Rubeus immediately prints the base64-encoded ticket to the console. This makes it invaluable on compromised systems where you want to capture credentials as they flow through, without having to repeatedly run dump by hand. The loop runs indefinitely until interrupted unless /runfor is specified. Requires an elevated process to see sessions belonging to other users.

Flags

/monitorinterval
integer
How often (in seconds) to poll the logon session cache for new TGTs. Defaults to 60 seconds. The flag /interval is also accepted and behaves identically.
/filteruser
string
Only report new TGTs belonging to the specified username. The flag /targetuser is also accepted and behaves identically. When omitted, all new TGTs are reported.
/nowrap
flag
Print base64 ticket blobs without line wrapping, one blob per line. Makes output easier to process programmatically. No value required.
/registry
string
Persist captured TGTs to the registry under HKLM\SOFTWARE\<SOFTWARENAME> as each one is seen. Useful for surviving operator disconnects — the tickets can be retrieved later even after the monitoring process exits.
/runfor
integer
Stop monitoring after this many seconds. When omitted the loop runs indefinitely until the process is killed.

Examples

Monitor with the default 60-second interval

Start watching for new TGTs on all sessions (requires elevation):
Rubeus.exe monitor

Monitor with a 30-second polling interval

Reduce the interval for a more responsive capture window:
Rubeus.exe monitor /monitorinterval:30

Monitor for a specific target user

Only display tickets for a named account — useful when waiting for a specific service account to authenticate:
Rubeus.exe monitor /monitorinterval:30 /filteruser:svc_backup

Run for a limited time and exit

Capture for 10 minutes then stop automatically:
Rubeus.exe monitor /monitorinterval:15 /runfor:600
When /registry:SOFTWARENAME is supplied, Rubeus writes each captured TGT blob to HKLM\SOFTWARE\<SOFTWARENAME> as it arrives. This key persists across operator sessions and can be read back later with standard registry tools, making it a lightweight persistence mechanism for harvested tickets.
monitor requires an elevated (high-integrity) process to observe logon sessions belonging to users other than the one running Rubeus. In a non-elevated process only TGTs for the current user will be visible.
If you need automatic ticket renewal in addition to monitoring, use Rubeus.exe harvest instead — it combines the polling loop with a periodic renewal operation to keep captured TGTs alive past their initial end time.

Build docs developers (and LLMs) love