purge

Overview

Purge Kerberos tickets from the current logon session or a specific LUID. This command removes all cached tickets, effectively clearing the authentication state for cleanup or operational security purposes.

Syntax

Rubeus.exe purge [options]

Optional Parameters

luid

string

Target specific logon session ID (requires elevation)

Examples

# Purge tickets from current session
Rubeus.exe purge

# Purge tickets from specific LUID (requires admin)
Rubeus.exe purge /luid:0x12345

# Verify tickets are purged
Rubeus.exe klist

Use Cases

Operational Cleanup

Post-Operation Cleanup:

Remove injected tickets after operations
Clean authentication state
Restore original session state

Evidence Removal:

Clear traces of ticket manipulation
Remove forged or stolen tickets
Reset authentication cache

Session Management

Authentication Reset:

Clear corrupted ticket cache
Force fresh authentication
Resolve ticket conflicts

Testing and Development:

Reset state between tests
Clear test tickets
Validate clean authentication

Session Targeting

Current Session (Default)

Standard Operation:

Purges tickets from current user session
Requires no special privileges
Affects only current authentication state

Specific LUID Targeting

Elevated Operations:

Requires administrative privileges
Can target any logon session
Useful for system-wide cleanup

klist - Verify ticket state after purging
ptt - Inject tickets after purging
logonsession - Identify target LUIDs

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Syntax

Optional Parameters

Examples

Use Cases

Session Targeting

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

​Syntax

​Optional Parameters

​Examples

​Use Cases

​Session Targeting

​Related Commands

Overview

Syntax

Optional Parameters

Examples

Use Cases

Session Targeting

Related Commands