Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

triage enumerates the Kerberos ticket cache and prints a compact, columnar table showing the logon session LUID, username, service, server, and ticket expiry for every ticket visible to the process. It is the quickest way to survey the Kerberos state of a machine: one glance shows which sessions hold TGTs, which have active service tickets, and when each will expire. When run as a standard user it is limited to the current logon session; when run in a high-integrity (elevated) process it iterates every logon session on the system and shows tickets belonging to all users.

Flags

/luid
string
Restrict output to a single logon session identified by its LUID in hex (e.g. 0x3e4). Useful when you already know which session you want to inspect and want to avoid the noise of the full list.
/user
string
Filter results to tickets belonging to the specified username. Case-insensitive substring match against the session owner field.
/service
string
Filter results to tickets whose service name matches the supplied string (e.g. krbtgt to see only TGTs). Case-insensitive prefix match against the SPN service class.
/server
string
Filter results to tickets whose target server hostname matches the supplied string (e.g. dc01.corp.local). Useful for narrowing down which sessions hold tickets for a specific resource.

Examples

Triage all tickets in the current session

Run without any flags to get a summary table scoped to your own logon session:
Rubeus.exe triage

Triage tickets for all users (elevated)

When the process is elevated Rubeus automatically iterates every logon session on the host:
Rubeus.exe triage
The output header changes depending on privilege level: Triage Kerberos Tickets (Current User) vs Triage Kerberos Tickets (All Users). No extra flags are needed — elevation alone determines scope.

Filter by username

Show only tickets owned by a specific account:
Rubeus.exe triage /user:jdoe

Filter by service type

Quickly identify which sessions hold TGTs:
Rubeus.exe triage /service:krbtgt
Use triage as a first-pass enumeration tool to identify interesting sessions, then follow up with dump /luid:X to extract the raw ticket bytes from the session of interest.

Build docs developers (and LLMs) love