Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

harvest extends monitor with two additional behaviours: it maintains an internal working set of all captured TGTs and automatically renews each one before it expires, and it periodically re-prints the full working cache so the operator can see the current state at a glance. The result is a long-running, self-maintaining credential harvester that keeps tickets alive for as long as they can be renewed (up to their renew-till limit, typically seven days from issuance). Like monitor, harvest requires elevation to see sessions belonging to other users, and it accepts the same /registry option to persist tickets across operator sessions.

Flags

/monitorinterval
integer
How often (in seconds) to poll the logon session cache for new TGTs. Defaults to 60 seconds.
/displayinterval
integer
How often (in seconds) to print the full working TGT cache to the console. Defaults to 1200 seconds (20 minutes). Set lower for more frequent status updates.
/interval
integer
Convenience flag that sets both /monitorinterval and /displayinterval to the same value in a single argument. If /monitorinterval or /displayinterval are also supplied they override this value for their respective interval.
/filteruser
string
Only harvest TGTs belonging to the specified username. The flag /targetuser is also accepted and behaves identically. When omitted all new TGTs are harvested.
/nowrap
flag
Print base64 ticket blobs without line wrapping. No value required.
/registry
string
Persist harvested TGTs to the registry under HKLM\SOFTWARE\<SOFTWARENAME>. Tickets written here survive process restarts and operator disconnects and can be retrieved at any time using standard registry tooling.
/runfor
integer
Stop harvesting after this many seconds. When omitted the loop runs indefinitely until the process is killed.

Examples

Harvest with all defaults

Begin monitoring for new TGTs every 60 seconds and display the cache every 20 minutes:
Rubeus.exe harvest

Custom monitor and display intervals

Poll every 30 seconds and refresh the cache display every 5 minutes:
Rubeus.exe harvest /monitorinterval:30 /displayinterval:300

Set both intervals at once

Use /interval to apply the same value to both the monitor and display intervals:
Rubeus.exe harvest /interval:60

Harvest tickets for a specific user only

Limit harvesting to a named service account:
Rubeus.exe harvest /monitorinterval:30 /filteruser:svc_sql

Run for a limited duration

Collect for 1 hour, then exit cleanly:
Rubeus.exe harvest /monitorinterval:30 /displayinterval:300 /runfor:3600
When /registry:SOFTWARENAME is provided, harvest writes each new TGT to HKLM\SOFTWARE\<SOFTWARENAME> and updates the entry whenever a renewed ticket replaces an old one. This allows a second operator session to retrieve current working tickets without needing access to the long-running Rubeus process.
harvest requires an elevated (high-integrity) process to observe sessions belonging to other users. Running it without elevation limits visibility to the current user’s own session.
Tickets can only be renewed up to their renew-till time, which is typically 7 days after initial issuance (domain default). Once a TGT passes its renew-till limit Rubeus will stop renewing it and it will eventually expire. To harvest fresh tickets beyond this window you need users to re-authenticate.

Build docs developers (and LLMs) love