Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

Rubeus does not ship pre-compiled binaries. The project is intentionally distributed as source only — brittle AV signatures based on static binaries are counterproductive, and operators benefit from building the tool themselves so they can apply any necessary modifications before deployment. This page covers everything you need to go from a fresh clone to a working Rubeus.exe or Rubeus.dll.
Many antivirus and EDR products flag the Rubeus binary based on static signatures or heuristics. Consider obfuscating the source before compilation, or loading the assembly in-memory rather than writing it to disk, for operational deployments.

Requirements

  • Visual Studio 2019 Community Edition or later with the .NET desktop development workload installed
  • .NET Framework SDK for your target version (3.5 or 4.0) — both are available as optional components in the Visual Studio installer

Build Steps

1
Open the solution
2
Clone or download the Rubeus repository, then open Rubeus.sln in Visual Studio:
3
File → Open → Project/Solution → Rubeus.sln
4
Visual Studio will load the Rubeus project, which targets .NET 4.0 by default (set in Rubeus/Rubeus.csproj as <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>).
5
Build the solution
6
Trigger a full build with Build → Build Solution or the keyboard shortcut:
7
Ctrl+Shift+B
8
Visual Studio compiles all source files and links the output executable. Watch the Output pane for any errors.
9
Locate the output binary
10
After a successful build the compiled executable is written to:
11
  • Debug build: Rubeus\bin\Debug\Rubeus.exe
  • Release build: Rubeus\bin\Release\Rubeus.exe
  • 12
    Switch between configurations using the Solution Configurations dropdown in the toolbar (Debug / Release). Release builds enable compiler optimisations and strip debug symbols.

    Targeting Other .NET Versions

    The default target framework is .NET 4.0. To target .NET 3.5 instead, edit Rubeus/Rubeus.csproj and change the TargetFrameworkVersion element:
    <!-- Default -->
    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
    
    <!-- Change to target .NET 3.5 -->
    <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
    
    Save the file, reload the project in Visual Studio if prompted, then rebuild. .NET 3.5 is useful when deploying to older domain-joined hosts that have not been updated to 4.0.
    The /debug flag at runtime outputs detailed ASN.1 structure information for every Kerberos message Rubeus constructs or parses. This is invaluable when troubleshooting unexpected KDC error codes or ticket decode failures — enable it by appending /debug to any command.

    Building as a Library

    Rubeus can be compiled as a .NET class library (.dll) instead of a console executable. The library exposes the Rubeus.Program.MainString(string command) static method, which accepts a full Rubeus command string and returns all output as a string. This is the recommended approach for PowerShell and PSRemoting integration.

    Change the output type

    In Visual Studio, right-click the Rubeus project in Solution Explorer and select Properties. Under the Application tab, change Output type from Console Application to Class Library, then rebuild. Alternatively, edit Rubeus.csproj directly:
    <!-- Change this -->
    <OutputType>Exe</OutputType>
    
    <!-- To this -->
    <OutputType>Library</OutputType>
    
    The build output will now be Rubeus.dll instead of Rubeus.exe.

    Call MainString from PowerShell

    First, base64-encode the compiled Rubeus.exe assembly so it can be loaded in-memory without writing a .dll to disk:
    [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Rubeus.exe")) | Out-File -Encoding ASCII C:\Temp\rubeus.txt
    
    Then load the assembly from the base64 string (replace "aa..." with the full base64 content from rubeus.txt) and invoke MainString to capture output as a string:
    $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))
    [Rubeus.Program]::MainString("triage")
    
    You can pass any valid Rubeus command string, including flags:
    [Rubeus.Program]::MainString("dump /nowrap")
    
    [Rubeus.Program]::MainString("kerberoast /nowrap")
    

    Running over PSRemoting

    For PSRemoting execution, append MainString calls to your Rubeus PowerShell script (the one containing the base64-loaded assembly), then invoke the script file in a remote session:
    $s = New-PSSession dc.corp.local
    Invoke-Command -Session $s -FilePath C:\Temp\Rubeus.ps1
    
    Because MainString returns a plain string, the output serialises cleanly over the PSRemoting channel with no special handling required.

    Build docs developers (and LLMs) love