A small set of flags in Rubeus are not tied to any specific command — they control output formatting, debugging behavior, and console redirection globally and can be appended to any Rubeus invocation. Whether you are runningDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
asktgt, kerberoast, dump, or any other action, these flags work the same way across the board. Understanding them saves time when building scripts, piping output to other tools, or diagnosing unexpected encoding behavior.
Flag Reference
Prevents base64-encoded ticket blobs from being column-wrapped at 80 characters. By default, Rubeus wraps all base64 output to 80-character line widths, which makes console output more readable but breaks ticket blobs when they are copied directly into scripts or other tools that expect a single uninterrupted base64 string.
The
/nowrap flag is especially useful when saving output to a file for later processing. Any downstream tool or script that consumes the base64 ticket string — such as ptt, kerberos::ptt in Mimikatz, or a custom parser — expects a single-line base64 value. Wrapped output will fail to decode correctly unless the newlines are manually stripped first.Enables ASN.1 debugging output for all encoding and decoding operations performed during the command’s execution. When set, Rubeus prints detailed ASN.1 structure traces alongside the normal output. This is useful for diagnosing malformed tickets, unexpected decoding failures, or confirming that a ticket’s internal structure matches expectations.The
Debug static field in Rubeus.Program is set to true when this flag is present, affecting all subsequent encoding/decoding paths in that execution.Redirects all console output — both stdout and stderr — to the specified file path. The file is opened in append mode, so repeated invocations accumulate output rather than overwriting previous runs. This is implemented directly in
Rubeus.Program.FileExecute(), which swaps the standard output and error writers to a StreamWriter before command execution and restores them afterward.Decoding Base64 Ticket Blobs
Rubeus outputs all Kerberos ticket data as base64-encoded.kirbi blobs. This format is the standard KRB-CRED structure and is directly compatible with Mimikatz and the Rubeus ptt command. The base64 encoding makes tickets safe to copy across console sessions, log to files, or embed in scripts.
To convert a base64 blob back to a raw .kirbi file, use the following PowerShell one-liner (replace aa... with the full base64 string from Rubeus output):
ticket.kirbi file can then be used in either of two ways:
Import with Mimikatz:
/ticket: argument without writing to disk:
Running Rubeus Through PowerShell
Rubeus can be compiled as a Class Library (.dll) and loaded entirely in-memory from PowerShell, avoiding on-disk EXE placement. To build as a library, go to Project → Rubeus Properties and change the Output type to Class Library, then compile. The resulting Rubeus.dll can be loaded and invoked from PowerShell as follows:
MainString method (defined in Rubeus.Program) accepts a command string, redirects all internal stdout and stderr to a StringWriter, executes the command via the normal MainExecute path, and returns the combined output as a single string. This is the correct method to call from PowerShell — using Main() directly will not return output usably in a remoting or captured-output context.
You can pass any command string that Rubeus.exe would accept on the command line:
Running Rubeus Over PSRemoting
TheMainString approach works identically over PSRemoting sessions, where stdout capture is especially important because PSRemoting does not forward raw console output the same way a local session does.
Rubeus.ps1 contains the assembly loading logic and the MainString call. The /consoleoutfile flag is also available as an alternative: it redirects all output to a file on the remote host, which can then be retrieved via the session.
When using Rubeus through PowerShell V5 or later, standard protections apply: deep script block logging (Event ID 4104) will record the full script content including the base64-encoded assembly string, and AMSI will scan the assembly bytes before they are loaded into the runtime. In .NET Framework 4.8 environments, AMSI coverage extends to managed assembly loads, meaning the Rubeus bytes themselves are subject to scanning at load time.