aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 12:04:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2f05f677337d44adaeac713b411f107c3c637be7
Ares-mythic/documentation-payload/apollo/commands/ticket_cache_extract.md
Aryma 2f05f67733 first commit
2026-04-14 12:17:24 +07:00

947 B
Raw Blame History

+++ title = "ticket_cache_extract" chapter = false weight = 103 hidden = false +++

{{% notice info %}} Artifacts Generated: WindowsAPIInvoke {{% /notice %}}

Summary

Extract the specified ticket(s) from the current logon session, this uses LSA APIs to extract a ticket from the active logon session on the host. This includes all details and a base64 encoded copy of the ticket. If ran from an elevated context this also can get a ticket from any session.

Arguments

luid

Optional argument to extract a ticket from the cache of a different logon session, must be elevated.

Service

The name of the service to taget for example krbtgt for tgt, or one of the various service ticket types (ex. cifs, host, ldap, etc.)

Usage

ticket_cache_extract -luid [luidValue] -service [service]

Example

ticket_cache_extract -luid 0xabcd -service cifs
ticket_cache_extract -service krbtgt

MITRE ATT&CK Mapping

  • T1550
Reference in New Issue View Git Blame Copy Permalink