[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-3559":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},3559,"tgt-monitor-bof","jakobfriedl\u002Ftgt-monitor-bof","jakobfriedl","Async BOF implementation of 'Rubeus monitor' to detect and automatically extract Kerberos TGTs as they appear on a target system. ","",null,"C",121,7,119,0,1,42.81,"BSD 3-Clause \"New\" or \"Revised\" License",false,"main",true,[],"2026-06-12 04:00:18","# Kerberos TGT Monitor BOF\n\nAsync Beacon Object File (BOF) that monitors for Kerberos logon events and wakes up the agent whenever a new Kerberos TGT is captured. Similar to Rubeus' `monitor` command, this BOF is running indefinitely and periodically checks the LSA ticket cache on the system. When a new TGT is detected, it prints the ticket metadata and outputs a base64-encoded kirbi blob that can be used for lateral movement via pass-the-ticket attacks.\n\n>[!Important]\n> This BOF requires asynchronous object file loading capabilities as it relies on the `BeaconWakeup` API to force an agent to check in when a new TGT is captured. Such functionality is provided by the [Conquest](https:\u002F\u002Fgithub.com\u002Fjakobfriedl\u002Fconquest\u002F) framework. \n\n## Workflow\n\nIn Conquest, the `tgt-monitor` BOF is executed in the background via a self-contained COFF loader DLL. The execution involves the following key steps:  \n\n![Workflow](.\u002Fassets\u002Fworkflow.png)\n\n## Usage\n\n\n>[!Warning]\n> This BOF requires to be run from a `NT AUTHORITY\\SYSTEM` context. \n\nThe following arguments need to be passed to the object file: \n\n| Name | Type | Description | \n| --- | --- | --- |\n| `interval` | `int` | Timeout between checks in seconds. | \n| `targetUser` | `string` | Case-insensitive username of a specific target user. When this field is set, only TGTs for that user are retrieved. Otherwise, TGTs are collected for all users. Note that computer accounts need to end with `$`. |\n\nFor ease-of-use, this repository features a [Conquest Module](.\u002Fdist\u002Ftgt-monitor.py) that implements the following command.  \n\n```\nUsage: tgt-monitor [--interval interval] [--user user]\nExample: tgt-monitor --interval 5 --user DC01$\n\nOptional arguments:\n  --interval interval       INT        Polling interval in seconds (default: 60).\n  --user user               STRING     Target specific username only.\n```\n\n![TGT Monitor](.\u002Fassets\u002Fimage.png)\n\n\nThe encoded ticket can be used directly with `Rubeus.exe ptt \u002Fticket:\u003Cbase64>` or `impacket-ticketConverter` for further lateral movement, as shown in the screenshot below. In [Conquest](https:\u002F\u002Fgithub.com\u002Fjakobfriedl\u002Fconquest\u002F), it is possible to use the `ptt` command to directly inject the ticket into the current logon session to impersonate the target user. \n\n![Stealing tickets with TGT Monitor](.\u002Fassets\u002Fimage-2.png)\n\n## Compilation\n\n```bash\nmake\n```\n\n## Acknowledgements \n\nThis implementation of this Beacon Object File is based on the following projects: \n\n- https:\u002F\u002Fgithub.com\u002FGhostpack\u002FRubeus\n- https:\u002F\u002Fgithub.com\u002FRalfHacker\u002FKerbeus-BOF\n- https:\u002F\u002Fgithub.com\u002Fwavvs\u002Fnanorobeus\n\n","该项目是一个异步BOF实现，用于检测并自动提取目标系统上出现的Kerberos TGT。其核心功能是通过监控Kerberos登录事件并在捕获到新的TGT时唤醒代理，进而输出可用于横向移动的base64编码kirbi文件。技术特点包括依赖于`BeaconWakeup` API以实现异步加载，并且需要在`NT AUTHORITY\\SYSTEM`上下文中运行。适用于渗透测试场景中，特别是当需要进行凭证窃取和后续的横向移动攻击时。用户可以通过设置检查间隔和指定用户名来控制监控行为，同时提供了一个Conquest模块简化了使用流程。",2,"2026-06-11 02:54:42","CREATED_QUERY"]