Amnesiac
  • Welcome
  • Intended Usage
  • Get-Started
    • Quick Start
  • Main Menu
    • Available Commands
    • Main Menu Structure
    • [0] Scan Network for Admin Access
    • [1] Single-Listener (single target)
    • [2] Global-Listener (multiple targets)
    • [3] Scan Network for Listening Targets
    • Bookmarks
    • Payload Types
    • Payload Delivery
    • Serving Scripts
    • Sessions Display
    • Targets
    • Terminate Sessions
  • Sessions
    • Core Commands
      • Download
      • Exit
      • GListener
      • GLSet
      • Help
      • Kill
      • OneIsNone
      • Scramble
      • Sync
      • Toggle
      • Upload
    • System Commands
      • AV
      • Net
      • Process
      • Services
      • Sessions
      • Software
      • Startup
    • User Activity
      • ClearLogs
      • Clipboard
      • History and ClearHistory
      • Keylog and KeylogRead
      • ScreenShot and Screen4K
    • Scripts Loading
      • Mimi
      • Patch and PatchNet
      • PInject
      • PowerView
      • Rubeus
      • TLS
    • Local Actions
      • Ask4Creds
      • AutoMimi
      • CredMan
      • Dpapi
      • GetSystem
      • HashGrab
      • Hive
      • Kerb
      • Migrate
      • Monitor
    • Domain Actions
      • DCSync
      • CredValidate
      • Impersonation
      • LocalAdminAccess
      • PassSpray
      • Remoting
      • SessionHunter
  • Beware
    • Encryption
    • Non-Domain-Joined systems
    • SessionID 0
    • Timeouts
Powered by GitBook
On this page
  1. Sessions
  2. Local Actions

Monitor

Monitor Cache for TGTs | https://github.com/Leo4j/TGT_Monitor

Last updated 1 year ago

The Monitor command in Amnesiac serves a crucial role in extracting Kerberos tickets from the Local Security Authority (LSA) cache on a target system. Similar to the command, the functionality of Monitor depends on the privilege level of the user running it.

Simply type Monitor and press Enter. This command will trigger the TGT Monitoring script, which will begin extracting and securely storing the TGTs from the LSA cache on the target system.

After entering the Monitor command, the script will display the process ID (PID) under which it is running. You can use this PID for manual termination if needed.

Periodic Extraction of TGTs:

Monitor periodically extracts all Ticket Granting Tickets (TGTs) from the LSA cache on the target system. This function is especially useful on servers with unconstrained delegation enabled.

Encrypted Storage in the Registry:

The retrieved TGTs are encrypted and stored in the system's registry. The encryption password used for securing the TGTs is currently hardcoded into Amnesiac. The password is used for both encryption and decryption of TGTs stored in the registry.

Process Termination:

In case you forget to manually kill the Monitor process, the script is designed to terminate itself after 24 hours from its launch. Additionally, the script will automatically delete TGTs saved in the registry after 48 hours from its launch.

This provides a window of opportunity for you to retrieve the TGTs if needed, such as in case of a lost session or forgotten script execution on the target system.

Access to Encrypted TGTs:

To access and decrypt the content of the registry, you can use the MonitorRead command. This command retrieves the encrypted TGTs saved within the registry by the Monitor command, decrypts them, and displays their contents on the screen.

Additionally, decrypted TGTs are saved locally within the "C:\Users\Public\Documents\Amnesiac\Monitor_TGTs" folder for your convenience.

Clearing the Registry:

The MonitorClear command is used to clear the registry from saved TGTs. However, it is only effective if the Monitor process has been previously terminated, either manually or automatically.

Kerb