Kerberos Tickets

Kerberos tickets are stored in LSASS process memory. In certain contexts, they are arguably easier to extract and manage than NTLM hashes, and are a great post-exploitation target. Kerberos tickets have the added benefit of being easy to monitor and extract when new user logon sessions are created. If you're local Admin on a machine, make sure to setup a TGT harvester to catch new users' tickets.

Tooling

The classic ticket tool is Rubeus, but there's plenty of BOF/other options these days.

Rubeus.exe triage
mimikatz lsadump::ekeys

PreviousLSASS and SAM NextDPAPI, Browser Cookies, and CredMan

Last updated 4 months ago