> For the complete documentation index, see [llms.txt](https://leo4j.gitbook.io/amnesiac/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://leo4j.gitbook.io/amnesiac/sessions/local-actions/monitor.md).

# Monitor

The `Monitor` command in Amnesiac serves a crucial role in extracting Kerberos tickets from the Local Security Authority (LSA) cache on a target system. Similar to the [`Kerb`](/amnesiac/sessions/local-actions/kerb.md) command, the functionality of `Monitor` depends on the privilege level of the user running it.&#x20;

Simply type `Monitor` and press Enter. This command will trigger the TGT Monitoring script, which will begin extracting and securely storing the TGTs from the LSA cache on the target system.

After entering the `Monitor` command, the script will display the process ID (PID) under which it is running. You can use this PID for manual termination if needed.

<figure><img src="/files/r4Ch2DO4wFyAi1yETKaY" alt=""><figcaption></figcaption></figure>

**Periodic Extraction of TGTs:**

`Monitor` periodically extracts all Ticket Granting Tickets (TGTs) from the LSA cache on the target system. This function is especially useful on servers with unconstrained delegation enabled.

**Encrypted Storage in the Registry:**

The retrieved TGTs are encrypted and stored in the system's registry. The encryption password used for securing the TGTs is currently hardcoded into Amnesiac. The password is used for both encryption and decryption of TGTs stored in the registry.

**Process Termination:**

In case you forget to manually kill the Monitor process, the script is designed to terminate itself after 24 hours from its launch. Additionally, the script will automatically delete TGTs saved in the registry after 48 hours from its launch.&#x20;

This provides a window of opportunity for you to retrieve the TGTs if needed, such as in case of a lost session or forgotten script execution on the target system.

**Access to Encrypted TGTs:**

To access and decrypt the content of the registry, you can use the `MonitorRead` command. This command retrieves the encrypted TGTs saved within the registry by the `Monitor` command, decrypts them, and displays their contents on the screen.

Additionally, decrypted TGTs are saved locally within the "C:\Users\Public\Documents\Amnesiac\Monitor\_TGTs" folder for your convenience.

**Clearing the Registry:**

The `MonitorClear` command is used to clear the registry from saved TGTs. However, it is only effective if the Monitor process has been previously terminated, either manually or automatically.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://leo4j.gitbook.io/amnesiac/sessions/local-actions/monitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.