klist.exe

  • File Path: C:\Program Files\Amazon Corretto\jre8\bin\klist.exe
  • Description: OpenJDK Platform binary

Hashes

Type Hash
MD5 485D7DCE45873697DD951A75B3358C7A
SHA1 3042E15150B25E76E034872603B0D70E6231950C
SHA256 AA6B658ABEB4A08EFB7B9908565543FA8692E4A38D0BED97A6257C6D807234ED
SHA384 3F16BFC0D0EC1C00384CC995A2C6BF9A99C8CF4F6331D0C2F2F46A6CDF9EE9CB8C853352DC3941B43F133654F70B0936
SHA512 8E06F1DB8E91DA3169FB57FE38900DB82EE00515B1814866BDE1F81ADCB3E66C6F7C491238007219B9EAAD258616843265AAE5114A95965DFC448D248DCA0994
SSDEEP 192:ZP1yTnTZ/0KTo+IKEfodlkGeExH4yK6CYlLWwsU7H64RrwYa9sgfxIZHR:ZPa6KYKNdlkGeEXK6jSGH5sYDgf2hR
IMP 2C43CDA2243B5AF72E180E8D1F09446D
PESHA1 CB054DDA2D77FFD491EE7141B1EBBE8EF3804018
PE256 3485BA4A9F37B1C9988A353AEA2D1BD42B814A33A7282FE8061BDDCED7A19066

Runtime Data

Usage (stdout):


Usage: klist [[-c] [-f] [-e] [-a [-n]]] [-k [-t] [-K]] [name]
   name	 name of credentials cache or  keytab with the prefix. File-based cache or keytab's prefix is FILE:.
   -c specifies that credential cache is to be listed
   -k specifies that key tab is to be listed
   options for credentials caches:
	-f 	 shows credentials flags
	-e 	 shows the encryption type
	-a 	 shows addresses
	  -n 	   do not reverse-resolve addresses
   options for keytabs:
	-t 	 shows keytab entry timestamps
	-K 	 shows keytab entry key value
	-e 	 shows keytab entry key type

Usage: java sun.security.krb5.tools.Klist -help for help.

Child Processes:

powershell_ise.exe

Loaded Modules:

Path
C:\Program Files\Amazon Corretto\jre8\bin\klist.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 2F83C35B5136353D68CE9EB669FD1B0B
  • Thumbprint: 4BAD227329ADEF18F215B6475FB7948E1629B505
  • Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  • Subject: CN=Amazon.com Services LLC, OU=Software Services, O=Amazon.com Services LLC, L=Seattle, S=Washington, C=US

File Metadata

  • Original Filename: klist.exe
  • Product Name: OpenJDK Platform 8
  • Company Name: Amazon.com Inc.
  • File Version: 8.0.2650.1
  • Product Version: 8.0.2650.1
  • Language: Language Neutral
  • Legal Copyright: Copyright 2020
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/aa6b658abeb4a08efb7b9908565543fa8692e4a38d0bed97a6257c6d807234ed/detection/

File Similarity (ssdeep match)

File Score
C:\program files (x86)\Amazon Corretto\jdk1.8.0_265\bin\jsadebugd.exe 38
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\appletviewer.exe 58
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\clhsdb.exe 58
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\extcheck.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\hsdb.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\idlj.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jar.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jarsigner.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\javac.exe 57
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\javadoc.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\javah.exe 57
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\javap.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jcmd.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jconsole.exe 55
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jdb.exe 58
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jdeps.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jfr.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jhat.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jinfo.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jjs.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jmap.exe 57
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jps.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jrunscript.exe 68
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jsadebugd.exe 57
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jstack.exe 55
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jstat.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\jstatd.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\keytool.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\klist.exe 83
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\native2ascii.exe 69
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\orbd.exe 55
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\pack200.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\policytool.exe 61
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\rmid.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\rmiregistry.exe 68
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\schemagen.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\serialver.exe 68
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\servertool.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\tnameserv.exe 57
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\wsgen.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\wsimport.exe 65
C:\Program Files\Amazon Corretto\jdk1.8.0_265\bin\xjc.exe 72
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\java-rmi.exe 58
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\jjs.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\keytool.exe 68
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\kinit.exe 75
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\klist.exe 82
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\ktab.exe 74
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\orbd.exe 54
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\pack200.exe 68
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\policytool.exe 60
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\rmid.exe 63
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\rmiregistry.exe 66
C:\Program Files\Amazon Corretto\jdk1.8.0_265\jre\bin\servertool.exe 60
C:\program files\Amazon Corretto\jdk11.0.8_10\bin\javadoc.exe 29
C:\program files\Amazon Corretto\jdk11.0.8_10\bin\jconsole.exe 33
C:\program files\Amazon Corretto\jdk11.0.8_10\bin\jinfo.exe 33
C:\Program Files\Amazon Corretto\jre8\bin\java-rmi.exe 61
C:\Program Files\Amazon Corretto\jre8\bin\jjs.exe 61
C:\Program Files\Amazon Corretto\jre8\bin\keytool.exe 65
C:\Program Files\Amazon Corretto\jre8\bin\kinit.exe 80
C:\Program Files\Amazon Corretto\jre8\bin\ktab.exe 75
C:\Program Files\Amazon Corretto\jre8\bin\orbd.exe 55
C:\Program Files\Amazon Corretto\jre8\bin\pack200.exe 63
C:\Program Files\Amazon Corretto\jre8\bin\policytool.exe 61
C:\Program Files\Amazon Corretto\jre8\bin\rmid.exe 63
C:\Program Files\Amazon Corretto\jre8\bin\rmiregistry.exe 66
C:\Program Files\Amazon Corretto\jre8\bin\tnameserv.exe 57

Possible Misuse

The following table contains possible examples of klist.exe being misused. While klist.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
atomic-red-team T1558.001.md klist purge MIT License. © 2018 Red Canary
atomic-red-team T1558.001.md klist MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md klist purge MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


klist

Displays a list of currently cached Kerberos tickets.

[!IMPORTANT] You must be at least a Domain Admin, or equivalent, to run all the parameters of this command.

Syntax

klist [-lh <logonID.highpart>] [-li <logonID.lowpart>] tickets | tgt | purge | sessions | kcd_cache | get | add_bind | query_bind | purge_bind

Parameters

Parameter Description
-lh Denotes the high part of the user’s locally unique identifier (LUID), expressed in hexadecimal. If neither –lh nor –li are present, the command defaults to the LUID of the user who is currently signed in.
-li Denotes the low part of the user’s locally unique identifier (LUID), expressed in hexadecimal. If neither –lh nor –li are present, the command defaults to the LUID of the user who is currently signed in.
tickets Lists the currently cached ticket-granting-tickets (TGTs), and service tickets of the specified logon session. This is the default option.
tgt Displays the initial Kerberos TGT.
purge Allows you to delete all the tickets of the specified logon session.
sessions Displays a list of logon sessions on this computer.
kcd_cache Displays the Kerberos constrained delegation cache information.
get Allows you to request a ticket to the target computer specified by the service principal name (SPN).
add_bind Allows you to specify a preferred domain controller for Kerberos authentication.
query_bind Displays a list of cached preferred domain controllers for each domain that Kerberos has contacted.
purge_bind Removes the cached preferred domain controllers for the domains specified.
kdcoptions Displays the Key Distribution Center (KDC) options specified in RFC 4120.
/? Displays Help for this command.
Remarks
  • If no parameters are provided, klist retrieves all the tickets for the currently logged on user.

  • The parameters display the following information:

    • tickets - Lists the currently cached tickets of services that you have authenticated to since logon. Displays the following attributes of all cached tickets:

      • LogonID: The LUID.

      • Client: The concatenation of the client name and the domain name of the client.

      • Server: The concatenation of the service name and the domain name of the service.

      • KerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos ticket.

      • Ticket Flags: The Kerberos ticket flags.

      • Start Time: The time from which the ticket is valid.

      • End Time: The time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service or be used for renewal.

      • Renew Time: The time that a new initial authentication is required.

      • Session Key Type: The encryption algorithm that is used for the session key.

    • tgt - Lists the initial Kerberos TGT and the following attributes of the currently cached ticket:

      • LogonID: Identified in hexadecimal.

      • ServiceName: krbtgt

      • TargetName <SPN>: krbtgt

      • DomainName: Name of the domain that issues the TGT.

      • TargetDomainName: Domain that the TGT is issued to.

      • AltTargetDomainName: Domain that the TGT is issued to.

      • Ticket Flags: Address and target actions and type.

      • Session Key: Key length and encryption algorithm.

      • StartTime: Local computer time that the ticket was requested.

      • EndTime: Time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service.

      • RenewUntil: Deadline for ticket renewal.

      • TimeSkew: Time difference with the Key Distribution Center (KDC).

      • EncodedTicket: Encoded ticket.

    • purge - Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you’ll have to log off and log on again.

      • LogonID: Identified in hexadecimal.
    • sessions - Allows you to list and display the information for all logon sessions on this computer.

      • LogonID: If specified, displays the logon session only by the given value. If not specified, displays all the logon sessions on this computer.
    • kcd_cache - Allows you to display the Kerberos constrained delegation cache information.

      • LogonID: If specified, displays the cache information for the logon session by the given value. If not specified, displays the cache information for the current user’s logon session.
    • get - Allows you to request a ticket to the target that is specified by the SPN.

      • LogonID: If specified, requests a ticket by using the logon session by the given value. If not specified, requests a ticket by using the current user’s logon session.

      • kdcoptions: Requests a ticket with the given KDC options

    • add_bind - Allows you to specify a preferred domain controller for Kerberos authentication.

    • query_bind - Allows you to display cached, preferred domain controllers for the domains.

    • purge_bind - Allows you to remove cached, preferred domain controllers for the domains.

    • kdcoptions - For the current list of options and their explanations, see RFC 4120.

Examples

To query the Kerberos ticket cache to determine if any tickets are missing, if the target server or account is in error, or if the encryption type is not supported due to an Event ID 27 error, type:

klist
klist –li 0x3e7

To learn about the specifics of each ticket-granting-ticket that is cached on the computer for a logon session, type:

klist tgt

To purge the Kerberos ticket cache, log off, and then log back on, type:

klist purge
klist purge –li 0x3e7

To diagnose a logon session and to locate a logonID for a user or a service, type:

klist sessions

To diagnose Kerberos constrained delegation failure, and to find the last error that was encountered, type:

klist kcd_cache

To diagnose if a user or a service can get a ticket to a server, or to request a ticket for a specific SPN, type:

klist get host/%computername%

To diagnose replication issues across domain controllers, you typically need the client computer to target a specific domain controller. To target the client computer to the specific domain controller, type:

klist add_bind CONTOSO KDC.CONTOSO.COM
klist add_bind CONTOSO.COM KDC.CONTOSO.COM

To query which domain controllers were recently contacted by this computer, type:

klist query_bind

To rediscover domain controllers, or to flush the cache before creating new domain controller bindings with klist add_bind, type:

klist purge_bind

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.