Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
purge calls LsaCallAuthenticationPackage with a KerbPurgeTicketCacheMessage to flush every Kerberos ticket from the target logon session. This is most commonly used to clean up injected tickets after a pass-the-ticket operation so that the session returns to its natural state, or to force a fresh ticket acquisition from the KDC. Without /luid the command targets only your own current session. Specifying a foreign LUID lets you wipe another user’s session cache, which requires elevated privileges.
Flags
The Logon Session ID (LUID) of the logon session to purge, expressed as a hex value (e.g.
0x3e4). Omit to purge the current session. Targeting any other LUID requires a high-integrity (elevated) process.Examples
Purge the current session
Removes all Kerberos tickets from the logon session belonging to the current process:Purge a specific logon session (elevated)
Identify the target LUID first withRubeus.exe triage, then supply it here:
purge is a clean-up companion to ptt. The standard workflow is: inject a ticket with ptt, perform the desired operation, then call purge to remove the injected ticket and avoid leaving artefacts in the session cache.