{
	"id": "67ba6253-88a5-43dd-956d-7dafbe2c4c75",
	"created_at": "2026-04-06T00:12:32.7784Z",
	"updated_at": "2026-04-10T03:20:59.351222Z",
	"deleted_at": null,
	"sha1_hash": "1202074c994c9bfce8e8fd0faf1897ae1740f1d2",
	"title": "klist",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62327,
	"plain_text": "klist\r\nBy robinharwood\r\nArchived: 2026-04-05 18:39:10 UTC\r\nDisplays a list of currently cached Kerberos tickets.\r\nImportant\r\nYou must be at least a Domain Admin, or equivalent, to run all the parameters of this command.\r\nSyntax\r\nklist [-lh \u003clogonID.highpart\u003e] [-li \u003clogonID.lowpart\u003e] tickets | tgt | purge | sessions | kcd_cache | get | add\r\nParameters\r\nParameter Description\r\n-lh\r\nDenotes the high part of the user's locally unique identifier (LUID), expressed in hexadecimal.\r\nIf neither -lh nor -li are present, the command defaults to the LUID of the user who is currently\r\nsigned in.\r\n-li\r\nDenotes the low part of the user's locally unique identifier (LUID), expressed in hexadecimal.\r\nIf neither -lh nor -li are present, the command defaults to the LUID of the user who is currently\r\nsigned in.\r\ntickets\r\nLists the currently cached ticket-granting-tickets (TGTs), and service tickets of the specified\r\nlogon session. This is the default option.\r\ntgt Displays the initial Kerberos TGT.\r\npurge Allows you to delete all the tickets of the specified logon session.\r\nsessions Displays a list of logon sessions on this computer.\r\nkcd_cache Displays the Kerberos constrained delegation cache information.\r\nget\r\nAllows you to request a ticket to the target computer specified by the service principal name\r\n(SPN).\r\nadd_bind Allows you to specify a preferred domain controller for Kerberos authentication.\r\nquery_bind\r\nDisplays a list of cached preferred domain controllers for each domain that Kerberos has\r\ncontacted.\r\nhttps://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nPage 1 of 5\n\nParameter Description\r\npurge_bind Removes the cached preferred domain controllers for the domains specified.\r\nkdcoptions Displays the Key Distribution Center (KDC) options specified in RFC 4120.\r\n/? Displays Help for this command.\r\nIf no parameters are provided, klist retrieves all the tickets for the currently logged on user.\r\nThe parameters display the following information:\r\ntickets - Lists the currently cached tickets of services that you have authenticated to since logon.\r\nDisplays the following attributes of all cached tickets:\r\nLogonID: The LUID.\r\nClient: The concatenation of the client name and the domain name of the client.\r\nServer: The concatenation of the service name and the domain name of the service.\r\nKerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos\r\nticket.\r\nTicket Flags: The Kerberos ticket flags.\r\nStart Time: The time from which the ticket is valid.\r\nEnd Time: The time the ticket becomes no longer valid. When a ticket is past this time, it\r\ncan no longer be used to authenticate to a service or be used for renewal.\r\nRenew Time: The time that a new initial authentication is required.\r\nSession Key Type: The encryption algorithm that is used for the session key.\r\ntgt - Lists the initial Kerberos TGT and the following attributes of the currently cached ticket:\r\nLogonID: Identified in hexadecimal.\r\nServiceName: krbtgt\r\nTargetName \u003cSPN\u003e : krbtgt\r\nDomainName: Name of the domain that issues the TGT.\r\nTargetDomainName: Domain that the TGT is issued to.\r\nAltTargetDomainName: Domain that the TGT is issued to.\r\nTicket Flags: Address and target actions and type.\r\nhttps://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nPage 2 of 5\n\nSession Key: Key length and encryption algorithm.\r\nStartTime: Local computer time that the ticket was requested.\r\nEndTime: Time the ticket becomes no longer valid. When a ticket is past this time, it can no\r\nlonger be used to authenticate to a service.\r\nRenewUntil: Deadline for ticket renewal.\r\nTimeSkew: Time difference with the Key Distribution Center (KDC).\r\nEncodedTicket: Encoded ticket.\r\npurge - Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have\r\ncached, so use this attribute with caution. It might stop you from being able to authenticate to\r\nresources. If this happens, you'll have to log off and log on again.\r\nLogonID: Identified in hexadecimal.\r\nsessions - Allows you to list and display the information for all logon sessions on this computer.\r\nLogonID: If specified, displays the logon session only by the given value. If not specified,\r\ndisplays all the logon sessions on this computer.\r\nkcd_cache - Allows you to display the Kerberos constrained delegation cache information.\r\nLogonID: If specified, displays the cache information for the logon session by the given\r\nvalue. If not specified, displays the cache information for the current user's logon session.\r\nget - Allows you to request a ticket to the target that is specified by the SPN.\r\nLogonID: If specified, requests a ticket by using the logon session by the given value. If not\r\nspecified, requests a ticket by using the current user's logon session.\r\nkdcoptions: Requests a ticket with the given KDC options\r\nadd_bind - Allows you to specify a preferred domain controller for Kerberos authentication.\r\nquery_bind - Allows you to display cached, preferred domain controllers for the domains.\r\npurge_bind - Allows you to remove cached, preferred domain controllers for the domains.\r\nkdcoptions - For the current list of options and their explanations, see RFC 4120.\r\nExamples\r\nTo query the Kerberos ticket cache to determine if any tickets are missing, if the target server or account is in\r\nerror, or if the encryption type is not supported due to an Event ID 27 error, type:\r\nhttps://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nPage 3 of 5\n\nklist\r\nklist -li 0x3e7\r\nTo learn about the specifics of each ticket-granting-ticket that is cached on the computer for a logon session, type:\r\nklist tgt\r\nTo purge the Kerberos ticket cache, log off, and then log back on, type:\r\nklist purge\r\nklist purge -li 0x3e7\r\nTo diagnose a logon session and to locate a logonID for a user or a service, type:\r\nklist sessions\r\nTo diagnose Kerberos constrained delegation failure, and to find the last error that was encountered, type:\r\nklist kcd_cache\r\nTo diagnose if a user or a service can get a ticket to a server, or to request a ticket for a specific SPN, type:\r\nklist get host/%computername%\r\nTo diagnose replication issues across domain controllers, you typically need the client computer to target a\r\nspecific domain controller. To target the client computer to the specific domain controller, type:\r\nklist add_bind CONTOSO KDC.CONTOSO.COM\r\nklist add_bind CONTOSO.COM KDC.CONTOSO.COM\r\nTo query which domain controllers were recently contacted by this computer, type:\r\nklist query_bind\r\nhttps://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nPage 4 of 5\n\nTo rediscover domain controllers, or to flush the cache before creating new domain controller bindings with\r\nklist add_bind , type:\r\nklist purge_bind\r\nCommand-Line Syntax Key\r\nSource: https://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nhttps://docs.microsoft.com/windows-server/administration/windows-commands/klist\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows-server/administration/windows-commands/klist"
	],
	"report_names": [
		"klist"
	],
	"threat_actors": [],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1202074c994c9bfce8e8fd0faf1897ae1740f1d2.pdf",
		"text": "https://archive.orkl.eu/1202074c994c9bfce8e8fd0faf1897ae1740f1d2.txt",
		"img": "https://archive.orkl.eu/1202074c994c9bfce8e8fd0faf1897ae1740f1d2.jpg"
	}
}