Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
dump enumerates Kerberos tickets exactly as klist does, but instead of displaying parsed metadata it outputs the full KRB_CRED bytes for each ticket as a base64-encoded blob. Those blobs can be copied directly into Rubeus.exe ptt /ticket:..., saved to disk for later use, or decoded to .kirbi files for import into other tools. Without elevation Rubeus dumps only tickets belonging to the current logon session. In an elevated process it calls LsaEnumerateLogonSessions and extracts tickets from every session on the system, making it a powerful one-step credential harvesting step after gaining SYSTEM.
Flags
Restrict the dump to a single logon session identified by its LUID in hex (e.g.
0x3e4).Filter output to sessions owned by the specified username. Case-insensitive substring match.
Filter output to tickets matching the specified service class (e.g.
krbtgt to dump only TGTs). Case-insensitive prefix match against the SPN.Filter output to tickets targeting a specific server hostname (e.g.
fileserver01.corp.local).Examples
Dump all tickets from the current session
Print base64-encoded KRB_CRED structures for every ticket in the current logon session:Dump only TGTs
Filter by thekrbtgt service to extract only Ticket-Granting Tickets: