jakobfriedl

jakobfriedl / tgt-monitor-bof

Public

Async BOF implementation of 'Rubeus monitor' to detect and automatically extract Kerberos TGTs as they appear on a target system.

21
0
69% credibility
Found Apr 22, 2026 at 22 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

This is a background monitor for detecting new Kerberos Ticket Granting Tickets in Windows systems' login caches, outputting them in base64 for use in authentication testing.

How It Works

1
πŸ” Find the ticket watcher

You discover this GitHub tool that keeps an eye out for fresh login passes on Windows machines during security checks.

2
πŸ› οΈ Get it ready

You follow the simple build guide to prepare the lightweight program on your computer.

3
πŸ‘‘ Start it on the test system

With full system access on the Windows computer, you launch the watcher to run quietly.

4
βš™οΈ Pick check times and focus

You decide how often it looks (like every few minutes) and if it should watch everyone or just one user.

5
πŸ‘€ It watches patiently

The tool runs in the background, scanning regularly for any new login passes without making a fuss.

6
πŸ”” Alert! New pass spotted

Suddenly, it notifies you with full details of the new login pass and hands over a ready-to-use encoded copy.

βœ… Ready for next steps

You now have the captured login pass to continue your security testing smoothly and effectively.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 22 to 21 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is tgt-monitor-bof?

This C-based async BOF for Cobalt Strike environments monitors Windows LSA ticket caches indefinitely, detecting Kerberos TGTs as they appear from logons. It automatically extracts new tickets, prints metadata like timestamps and enc types, and outputs base64-encoded kirbi blobs for immediate pass-the-ticket use. Paired with frameworks like Conquest, it wakes beacons on hits, solving manual TGT hunting in async BOF GitHub workflows.

Why is it gaining traction?

Unlike static Rubeus monitor ports, this async implementation runs background polls at custom intervals (default 60s), filtering by target user like "DC01$", with auto-wakeup for stealthy ops. Developers grab it for seamless Cobalt Strike integration via a simple Conquest CLI: `tgt-monitor --interval 5 --user user$`. The base64 output plugs straight into Rubeus ptt or impacket, cutting extraction steps.

Who should use this?

Red teamers running Cobalt Strike or Conquest on Windows domains, especially during lateral movement hunts for admin TGTs. Pentesters targeting Kerberos in AD need it for SYSTEM-context monitoring without killing beacons. Avoid if you're not in async BOF setups.

Verdict

Solid for niche async BOF Cobalt Strike use, with clear README, Makefile compile, and Conquest moduleβ€”grab if TGT monitoring fits your op. At 21 stars and 0.699999988079071% credibility, it's early but functional; test in labs before prod runs.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.