Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
triage enumerates the Kerberos ticket cache and prints a compact, columnar table showing the logon session LUID, username, service, server, and ticket expiry for every ticket visible to the process. It is the quickest way to survey the Kerberos state of a machine: one glance shows which sessions hold TGTs, which have active service tickets, and when each will expire. When run as a standard user it is limited to the current logon session; when run in a high-integrity (elevated) process it iterates every logon session on the system and shows tickets belonging to all users.
Flags
Restrict output to a single logon session identified by its LUID in hex (e.g.
0x3e4). Useful when you already know which session you want to inspect and want to avoid the noise of the full list.Filter results to tickets belonging to the specified username. Case-insensitive substring match against the session owner field.
Filter results to tickets whose service name matches the supplied string (e.g.
krbtgt to see only TGTs). Case-insensitive prefix match against the SPN service class.Filter results to tickets whose target server hostname matches the supplied string (e.g.
dc01.corp.local). Useful for narrowing down which sessions hold tickets for a specific resource.Examples
Triage all tickets in the current session
Run without any flags to get a summary table scoped to your own logon session:Triage tickets for all users (elevated)
When the process is elevated Rubeus automatically iterates every logon session on the host:The output header changes depending on privilege level:
Triage Kerberos Tickets (Current User) vs Triage Kerberos Tickets (All Users). No extra flags are needed — elevation alone determines scope.