Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

purge calls LsaCallAuthenticationPackage with a KerbPurgeTicketCacheMessage to flush every Kerberos ticket from the target logon session. This is most commonly used to clean up injected tickets after a pass-the-ticket operation so that the session returns to its natural state, or to force a fresh ticket acquisition from the KDC. Without /luid the command targets only your own current session. Specifying a foreign LUID lets you wipe another user’s session cache, which requires elevated privileges.

Flags

/luid
string
The Logon Session ID (LUID) of the logon session to purge, expressed as a hex value (e.g. 0x3e4). Omit to purge the current session. Targeting any other LUID requires a high-integrity (elevated) process.

Examples

Purge the current session

Removes all Kerberos tickets from the logon session belonging to the current process:
Rubeus.exe purge

Purge a specific logon session (elevated)

Identify the target LUID first with Rubeus.exe triage, then supply it here:
Rubeus.exe purge /luid:0x4f2b1a
Purging your own session will cause subsequent Kerberos-authenticated network operations to fail until the client requests new tickets from the KDC (typically triggered automatically by the next network access). Purging another user’s session with /luid requires a SYSTEM or equivalent privilege level.
purge is a clean-up companion to ptt. The standard workflow is: inject a ticket with ptt, perform the desired operation, then call purge to remove the injected ticket and avoid leaving artefacts in the session cache.

Build docs developers (and LLMs) love