aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 23:34:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9f0471b6825e98cf7befb4685240c0c582079467
Ares-mythic/documentation-payload/ares/commands/ticket_cache_extract.md
Aryma 03d283cf49 refactor(payload): rename apollo to ares and update documentation 
This commit renames the Apollo payload type to Ares, moving all associated files and updating documentation accordingly. The change includes:
- Renaming directories from `apollo` to `ares`
- Updating documentation image references
- Maintaining the same code functionality while changing the payload name
- Adding new Ares-specific documentation files
- Removing old Apollo documentation files

The rename is done to reflect the new payload name while preserving all existing functionality.
2026-04-14 14:02:44 +07:00

947 B
Raw Blame History

+++ title = "ticket_cache_extract" chapter = false weight = 103 hidden = false +++

{{% notice info %}} Artifacts Generated: WindowsAPIInvoke {{% /notice %}}

Summary

Extract the specified ticket(s) from the current logon session, this uses LSA APIs to extract a ticket from the active logon session on the host. This includes all details and a base64 encoded copy of the ticket. If ran from an elevated context this also can get a ticket from any session.

Arguments

luid

Optional argument to extract a ticket from the cache of a different logon session, must be elevated.

Service

The name of the service to taget for example krbtgt for tgt, or one of the various service ticket types (ex. cifs, host, ldap, etc.)

Usage

ticket_cache_extract -luid [luidValue] -service [service]

Example

ticket_cache_extract -luid 0xabcd -service cifs
ticket_cache_extract -service krbtgt

MITRE ATT&CK Mapping

  • T1550
Reference in New Issue View Git Blame Copy Permalink