triage

Overview

Quickly triage all accessible Kerberos tickets across all logon sessions on the current system. This command provides a rapid overview of available tickets without extracting full ticket data, ideal for initial reconnaissance and target identification.

Syntax

Rubeus.exe triage [options]

Optional Parameters

luid

string

Target specific logon session ID

user

string

Filter by specific username

service

string

Filter by service name pattern

Examples

# List all accessible tickets
Rubeus.exe triage

# Target specific logon session
Rubeus.exe triage /luid:0x12345

# Filter by username
Rubeus.exe triage /user:admin

Triage Information

Ticket Overview

Basic Details:

Logon session ID (LUID)
Username and domain
Service principal name
Ticket type (TGT vs Service)

Status Information:

Start and end times
Encryption type
Ticket flags
Validity status

Session Context

Logon Session Details:

Authentication package
Logon type and time
User SID and privileges
Session characteristics

Access Capabilities:

Available for extraction
Requires elevation
Cross-session visibility
Permission requirements

Use Cases

Initial Reconnaissance

System Assessment:

Identify high-value tickets
Map user sessions and activities
Locate administrative accounts
Find service account tickets

Target Prioritization:

Identify domain admin tickets
Locate delegation-enabled accounts
Find cross-domain tickets
Spot unusual service tickets

Operational Planning

Attack Preparation:

Plan ticket extraction strategy
Identify privilege escalation paths
Map lateral movement opportunities
Assess defensive visibility

Resource Optimization:

Focus on valuable targets
Avoid unnecessary extractions
Minimize detection footprint
Streamline operations

Output Analysis

Understanding Results

Sample Output:

# Example triage output
Rubeus.exe triage

[*] Action: Ticket Triage

[*] Current LUID    : 0x12345
[*] Current user    : CORP\admin

[0x3e7] - SYSTEM
  [*] 0x3e4 krbtgt/CORP.LOCAL                             [CORP.LOCAL]    [10/25/2024 1:23:45 PM] [10/25/2024 11:23:45 PM]
  [*] 0x3e5 CIFS/fileserver.corp.local                    [CORP.LOCAL]    [10/25/2024 1:25:12 PM] [10/25/2024 11:25:12 PM]

[0x54321] - CORP\serviceaccount
  [*] 0x123 krbtgt/CORP.LOCAL                             [CORP.LOCAL]    [10/25/2024 9:15:30 AM] [10/25/2024 7:15:30 PM]
  [*] 0x124 HTTP/webapp.corp.local                        [CORP.LOCAL]    [10/25/2024 9:16:45 AM] [10/25/2024 7:16:45 PM]

Key Elements:

LUID identifies logon session
Ticket ID for extraction reference
Service name indicates access scope
Times show validity window

Strategic Applications

High-Value Target Identification

Administrative Tickets:

Domain controller access (HOST, LDAP)
Domain admin accounts (krbtgt tickets)
Exchange server access (exchangeab)
SQL server access (mssql)

Service Account Detection:

Service accounts with delegation
Machine accounts with valuable access
Cross-domain service accounts
Accounts with multiple service tickets

Lateral Movement Planning

Access Mapping:

Identify accessible systems via tickets
Map service relationships
Find trust relationships
Locate administrative boundaries

Path Optimization:

Choose highest-value targets
Minimize required privilege escalation
Identify direct access paths
Plan multi-hop strategies

Integration Workflows

Reconnaissance to Extraction

Complete Workflow:

# 1. Initial triage
Rubeus.exe triage

# 2. Identify valuable tickets
# Look for admin accounts, service accounts, high-value services

# 3. Extract specific tickets
Rubeus.exe dump /luid:0x54321 /service:krbtgt

# 4. Use extracted tickets
Rubeus.exe ptt /ticket:extracted.kirbi

Targeted Assessment

Focused Analysis:

# 1. Target specific user
Rubeus.exe triage /user:admin

# 2. Target specific service
Rubeus.exe triage /service:cifs

# 3. Extract matching tickets
Rubeus.exe dump /user:admin /service:cifs

Session Management

Current Session

Default Behavior:

Shows tickets from current session
No elevation required
Limited to user’s context
Safe for reconnaissance

Cross-Session Access

Elevated Operations:

Requires administrative privileges
Access to all logon sessions
System-wide ticket visibility
Enhanced targeting capabilities

LUID Discovery:

Use logonsession command for LUID enumeration
Target specific high-value sessions
Cross-reference with user activities
Plan extraction strategies

Operational Security

Detection Considerations

Low-Risk Operations:

Triage generates minimal logs
No ticket modification or extraction
Standard authentication package queries
Difficult to distinguish from normal activity

Volume Considerations:

Avoid excessive triage frequency
Focus on specific targets when possible
Correlate with normal system activity
Minimize enumeration footprint

dump - Extract identified tickets
klist - List current session tickets
logonsession - Enumerate logon sessions
ptt - Use triaged tickets

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Syntax

Optional Parameters

Examples

Triage Information

Use Cases

Output Analysis

Strategic Applications

Integration Workflows

Session Management

Operational Security

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

​Syntax

​Optional Parameters

​Examples

​Triage Information

​Use Cases

​Output Analysis

​Strategic Applications

​Integration Workflows

​Session Management

​Operational Security

​Related Commands

Overview

Syntax

Optional Parameters

Examples

Triage Information

Use Cases

Output Analysis

Strategic Applications

Integration Workflows

Session Management

Operational Security

Related Commands