updating some help docs on ticket commands

Payload_Type/apollo/apollo/agent_code/Process/SacrificialProcess.cs

@@ -780,8 +780,8 @@ out _processInfo
                     return bRet;
                 }
                 //if running an a medium int user we may want to inject stored tickets into out new process
-                if (_agent.GetIdentityManager().GetIntegrityLevel() < IntegrityLevel.HighIntegrity)
-                {
+                //if (_agent.GetIdentityManager().GetIntegrityLevel() < IntegrityLevel.HighIntegrity)
+                //{
                     DebugHelp.DebugWriteLine($"LUID prior to impersonation: {_agent.GetTicketManager().GetCurrentLuid()}");
                     //get into the context of the newly created process prior to loading tickets
                     IntPtr targetProcessHandle = _pOpenProcess(ProcessAccessFlags.MAXIMUM_ALLOWED, false, (int)PID);
@@ -812,7 +812,7 @@ out _processInfo
                         var ticketBytes = Convert.FromBase64String(ticket.base64Ticket);
                         _agent.GetTicketManager().LoadTicketIntoCache(ticketBytes, "");
                     }
-                }
+                //}
                 //start executing the process
                 WaitForExitAsync();
                 return bRet;

Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_add.py

@@ -15,7 +15,7 @@ def __init__(self, command_line, **kwargs):
                 cli_name="b64ticket",
                 display_name="b64ticket",
                 type=ParameterType.String,
-                description="A base64 encoded kerberos ticket value that will be loaded into the agents ticket store for future use",
+                description="A base64 encoded kerberos ticket value that will be loaded into the current logon session",
                 parameter_group_info=[
                     ParameterGroupInfo(
                         required=True,
@@ -27,7 +27,7 @@ def __init__(self, command_line, **kwargs):
                 cli_name="luid",
                 display_name="luid",
                 type=ParameterType.String,
-                description="From an elevated context a LUID may be provided to target a specific session to enumerate tickets.",
+                description="From an elevated context a LUID may be provided to target a specific session to add tickets to.",
                 parameter_group_info=[
                     ParameterGroupInfo(
                         required=False,
@@ -47,7 +47,7 @@ class ticket_cache_addCommand(CommandBase):
     cmd = "ticket_cache_add"
     needs_admin = False
     help_cmd = "ticket_cache_add [b64Ticket] [luid]"
-    description = "Add a kerberos ticket to the current luid, or if elevated and a luid is provided load the ticket into that logon session instead"
+    description = "Add a kerberos ticket to the current luid, or if elevated and a luid is provided load the ticket into that logon session instead. This modifies the tickets in the current logon session."
     version = 2
     author = "@drago-qcc"
     argument_class = ticket_cache_addArguments

Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_extract.py

@@ -15,7 +15,7 @@ def __init__(self, command_line, **kwargs):
             cli_name="service",
             display_name="service",
             type=ParameterType.String,
-            description="Service to get a ticket for, use krbtgt to get the TGT from the session, otherwise use the service name (ex. ldap, cifs, host)",
+            description="Service to extract a ticket for, use krbtgt to get the TGT from the session, otherwise use the service name (ex. ldap, cifs, host)",
             parameter_group_info=[
                 ParameterGroupInfo(
                     required=True,

Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_purge.py

@@ -53,14 +53,16 @@ async def parse_arguments(self):
         if self.command_line[0] != "{":
             raise Exception("Require JSON blob, but got raw command line.")
         self.load_args_from_json_string(self.command_line)
+        if self.get_arg("all") and self.get_arg("serviceName") == "":
+            raise Exception("Need serviceName when specifying to not purge all tickets")
         pass
 
 
 class ticket_cache_purgeCommand(CommandBase):
     cmd = "ticket_cache_purge"
     needs_admin = False
-    help_cmd = "ticket_cache_purge [b64ticket] [all] [luid]"
-    description = "Remove the specified ticket from the system"
+    help_cmd = "ticket_cache_purge -serviceName=krbtgt/domain.com"
+    description = "Remove the specified ticket from the system. This modifies your current logon session tickets, so be careful if purging all."
     version = 2
     author = "@drago-qcc"
     argument_class = ticket_cache_purgeArguments

Payload_Type/apollo/apollo/mythic/agent_functions/ticket_store_add.py

@@ -35,7 +35,7 @@ class ticket_store_addCommand(CommandBase):
     cmd = "ticket_store_add"
     needs_admin = False
     help_cmd = "ticket_store_add [b64ticket]"
-    description = "Add a kerberos ticket to the agents internal ticket store"
+    description = "Add a kerberos ticket to the agents internal ticket store. Tickets are injected into sacrificial processes when you're impersonating a token (make_token / steal_token). This is because you have a new logon session to put the tickets into without overriding your existing tickets. For safety, do a make_token with junk creds first."
     version = 2
     author = "@drago-qcc"
     argument_class = ticket_store_addArguments

Payload_Type/apollo/apollo/mythic/agent_functions/ticket_store_purge.py

@@ -41,6 +41,8 @@ async def parse_arguments(self):
         if self.command_line[0] != "{":
             raise Exception("Require JSON blob, but got raw command line.")
         self.load_args_from_json_string(self.command_line)
+        if self.get_arg("all") and self.get_arg("serviceName") == "":
+            raise Exception("Need serviceName when specifying to not purge all tickets")
         pass