PoshC2_Python/Modules/SharpHound.ps1

function Invoke-BloodHound{
    <#
    .SYNOPSIS

        Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.

    .DESCRIPTION

        Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
        and run it without touching disk. Parameters are converted to the equivalent CLI arguments
        for the SharpHound executable and passed in via reflection. The appropriate function
        calls are made in order to ensure that assembly dependencies are loaded properly.

    .PARAMETER CollectionMethod

        Specifies the CollectionMethod being used. Possible value are:
            Group - Collect group membership information
            LocalGroup - Collect local group information for computers
            LocalAdmin - Collect local admin users for computers
            RDP - Collect remote desktop users for computers
            DCOM - Collect distributed COM users for computers
            Session - Collect session information for computers
            SessionLoop - Continuously collect session information until killed
            Trusts - Enumerate domain trust data
            ACL - Collect ACL (Access Control List) data
            Container - Collect GPO/OU Data
            ComputerOnly - Collects Local Admin and Session data
            GPOLocalGroup - Collects Local Admin information using GPO (Group Policy Objects)
            LoggedOn - Collects session information using privileged methods (needs admin!)
            ObjectProps - Collects node property information for users and computers
            Default - Collects Group Membership, Local Admin, Sessions, and Domain Trusts
            DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
            All - Collect all data except GPOLocalGroup and LoggedOn

        This can be a list of comma seperated valued as well to run multiple collection methods!

    .PARAMETER Domain

        Specifies the domain to enumerate. If not specified, will enumerate the current
        domain your user context specifies.

    .PARAMETER SearchForest

        Expands data collection to include all domains in the forest. 

    .PARAMETER LdapFilter

        Append this ldap filter to the search filter to further filter the results enumerated

    .PARAMETER Stealth

        Use stealth collection options, will sacrifice data quality in favor of much reduced
        network impact

    .PARAMETER SkipGCDeconfliction

        Skip's Global Catalog deconfliction during session enumeration. This option
        can result in more inaccuracy in data.

    .PARAMETER ComputerFile

        A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
        Session, SessionLoop, LocalGroup, ComputerOnly, LoggedOn

    .PARAMETER ExcludeDC

        Exclude domain controllers from session queries. Useful for ATA environments which detect this behavior

    .PARAMETER OU

        Limit enumeration to this OU. Takes a DistinguishedName.
        Ex. OU=Domain Controllers,DC=testlab,DC=local

    .PARAMETER DomainController

        Specify which Domain Controller to request data from. Defaults to closest DC using Site Names

    .PARAMETER LdapPort

        Override the port used to connect to LDAP

    .PARAMETER SecureLdap

        Uses LDAPs instead of unencrypted LDAP on port 636

    .PARAMETER IgnoreLdapCert

        Ignores the certificate for LDAP

    .PARAMETER LDAPUser

        User to connect to LDAP with

    .PARAMETER LDAPPass

        Password for user you are connecting to LDAP with

    .PARAMETER DisableKerbSigning

        Disables Kerberos Signing on requests.
    
    .PARAMETER Threads

        Specifies the number of threads to use during enumeration (Default 20)

    .PARAMETER PingTimeout

        Specifies timeout for ping requests to computers in milliseconds (Default 750)

    .PARAMETER SkipPing

        Skip all ping checks for computers. This option will most likely be slower as
        API calls will be made to all computers regardless of being up
        Use this option if ping is disabled on the network for some reason

    .PARAMETER LoopDelay

        Amount of time to wait between session enumeration loops in minutes. This option
        should be used in conjunction with the SessionLoop enumeration method. 
        (Default 300 seconds)

    .PARAMETER MaxLoopTime

        Length of time to run looped session collection. Format: 0d0h0m0s or any variation of this format.
        Use in conjunction with -c SessionLoop
        Default will loop for two hours

    .PARAMETER Throttle

        Time in milliseconds to throttle after each request to a computer

    .Parameter Jitter

        Percentage jitter to apply to throttle

    .PARAMETER JSONFolder

        Folder to export JSONs too (Defaults to current directory)

    .PARAMETER JSONPrefix

        Prefix to add to your JSON Files (Default "")

    .PARAMETER NoZip

        Don't compress JSON files and remove them from disk

    .PARAMETER EncryptZip

        Add a random password to the zip file

    .PARAMETER ZipFileName

        Change the filename for the zip file

    .PARAMETER RandomFilenames

        Randomize output filenames

    .PARAMETER PrettyJson

        Output pretty JSON at the cost of file size

    .PARAMETER CacheFile

        Filename for the cache used by bloodhound. (Default <B64 machine sid>.bin)
    
    .PARAMETER Invalidate

        Invalidate the cache and build a new one

    .PARAMETER SaveCache
        
        Whether to save the cache file. Set this to false to disable writing it to disk

    .PARAMETER Interval

        Interval to display progress during enumeration in milliseconds (Default 30000)

    .PARAMETER Verbose

        Enable verbose output mode. Will print a lot!
        
    .EXAMPLE

        PS C:\> Invoke-BloodHound

        Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
        and then removes the JSON files from disk

    .EXAMPLE
        
        PS C:\> Invoke-BloodHound -CollectionMethod SessionLoop -LoopDelay 60 -MaxLoopTime 10
    
        Executes session collection in a loop. Will wait 1 minute after each run to continue collection
        and will continue running for 10 minutes after which the script will exit

    .EXAMPLE

        PS C:\> Invoke-BloodHound -CollectionMethod All
    
        Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
        and then removes the JSON files from disk

    .EXAMPLE (Opsec!)

        PS C:\> Invoke-BloodHound -CollectionMethod DCOnly --NoSaveCache --RandomFilenames --EncryptZip
    
        Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk. 
        Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
    #>

    param(
        [String[]]
        $CollectionMethod = [string[]] @('Default'),

        [Switch]
        $SearchForest,

        [String]
        $Domain,

        [String]
        $LdapFilter,

        [Switch]
        $Stealth,

        [Switch]
        $SkipGCDeconfliction,

        [Switch]
        $ExcludeDC,

        [String]
        $ComputerFile,

        [String]
        $OU,

        [string]
        $DomainController,

        [int]
        $LdapPort,

        [Switch]
        $SecureLdap,

        [Switch]
        $IgnoreLdapCert,

        [String]
        $LDAPUser,

        [String]
        $LDAPPass,

        [Switch]
        $DisableKerbSigning,

        [ValidateRange(1,50)]
        [Int]
        $Threads = 10,

        [ValidateRange(50,1500)]
        [int]
        $PingTimeout = 250,

        [Switch]
        $SkipPing,

        [ValidateRange(1,50000000)]
        [int]
        $LoopDelay,

        [ValidatePattern('[0-9]+[smdh]')]
        [string]
        $MaxLoopTime,

        [ValidateRange(0,100)]
        [int]
        $Jitter,

        [int]
        $Throttle,

        [ValidateScript({ Test-Path -Path $_ })]
        [String]
        $JSONFolder = $(Get-Location),

        [ValidateNotNullOrEmpty()]
        [String]
        $JSONPrefix,

        [Switch]
        $NoZip,

        [Switch]
        $EncryptZip,

        [String]
        $ZipFileName,

        [Switch]
        $RandomFilenames,

        [Switch]
        $PrettyJson,
        

        [String]
        [ValidateNotNullOrEmpty()]
        $CacheFile,

        [Switch]
        $Invalidate,

        [Switch]
        $NoSaveCache,

        [ValidateRange(500,60000)]
        [int]
        $StatusInterval,

        [Switch]
        $Verbose
    )

    $vars = New-Object System.Collections.Generic.List[System.Object]

    $vars.Add("-c")
    foreach ($cmethod in $CollectionMethod){
        $vars.Add($cmethod);
    }
    
    if ($Domain){
        $vars.Add("-d");
        $vars.Add($Domain);
    }

    if ($SearchForest){
        $vars.Add("-s");
    }

    if ($Stealth){
        $vars.Add("--Stealth")
    }

    if ($SkipGCDeconfliction){
        $vars.Add("--SkipGCDeconfliction")
    }

    if ($ExcludeDC){
        $vars.Add("--ExcludeDC")
    }

    if ($ComputerFile){
        $vars.Add("--ComputerFile");
        $vars.Add($ComputerFile);
    }

    if ($OU){
        $vars.Add("--OU");
        $vars.Add($OU);
    }

    if ($DomainController){
        $vars.Add("--DomainController");
        $vars.Add($DomainController);
    }

    if ($LdapPort){
        $vars.Add("--LdapPort");
        $vars.Add($LdapPort);
    }

    if ($SecureLdap){
        $vars.Add("--SecureLdap");
    }

    if ($IgnoreLdapCert){
        $vars.Add("--IgnoreLdapCert");
    }

    if ($LDAPUser){
        $vars.Add("--LDAPUser");
        $vars.Add($LDAPUser);
    }

    if ($LDAPPass){
        $vars.Add("--LDAPPass");
        $vars.Add($LDAPPass);
    }

    if ($DisableKerbSigning){
        $vars.Add("--DisableKerbSigning");
    }

    if ($Threads){
        $vars.Add("-t")
        $vars.Add($Threads)
    }

    if ($PingTimeout){
        $vars.Add("--PingTimeout")
        $vars.Add($PingTimeout)
    }

    if ($SkipPing){
        $vars.Add("--SkipPing");
    }

    if ($LoopDelay){
        $vars.Add("--LoopDelay")
        $vars.Add($LoopDelay)
    }

    if ($MaxLoopTime){
        $vars.Add("--MaxLoopTime")
        $vars.Add($MaxLoopTime)
    }

    if ($Throttle){
        $vars.Add("--Throttle");
        $vars.Add($Throttle);
    }

    if ($Jitter){
        $vars.Add("--Jitter");
        $vars.Add($Jitter);
    }

    if ($JSONFolder){
        $vars.Add("--JSONFolder");
        $vars.Add($JSONFolder);
    }

    if ($JSONPrefix){
        $vars.Add("--JSONPrefix");
        $vars.Add($JSONPrefix);
    }

    if ($NoZip){
        $vars.Add("--NoZip");
    }

    if ($EncryptZip){
        $vars.Add("--EncryptZip");
    }

    if ($ZipFileName){
        $vars.Add("--ZipFileName");
        $vars.Add($ZipFileName);
    }

    if ($RandomFilenames){
        $vars.Add("--RandomFilenames");
    }

    if ($PrettyJson){
        $vars.Add("--PrettyJson");
    }

    if ($CacheFile){
        $vars.Add("--CacheFile");
        $vars.Add($CacheFile);
    }

    if ($Invalidate){
        $vars.Add("--Invalidate");
    }

    if ($NoSaveCache){
        $vars.Add("--NoSaveCache");
    }

    if ($LdapFilter){
        $vars.Add("--LdapFilter");
        $vars.Add($LdapFilter);
    }

    if ($Verbose){
        $vars.Add("-v")
    }

    if ($StatusInterval){
        $vars.Add("--StatusInterval")
        $vars.Add($StatusInterval)
    }   

    $passed = [string[]]$vars.ToArray()

    	$EncodedCompressedFile = '7L0JmFxF1QZ8+3b3vb3P3O6e7slMkpksM3Smu7MSmJkGkrDvCXs2CFuAhIQbbgdC0swQQEEkCQKyBVkMm8IHiIgKiIgiq0oAEUEz4AqKiuZDJSCT/7ynqm7f7plA/Hz8fr/n//Nk+la9tZ06darq1H7Y/M9pfk3TAvS3fbumfVMT/2Zqn/xvLf0l2h5JaF8L/3DMN32H/nDM0WcsKbevcOzTnZOWt59y0lln2SvbT17c7pxzVvuSs9r3nX1U+3L71MUT4/HIeBnHnP007VCfX7vyq5cuVPG+qem+qC+kaQujmtYisMMrZG5XPmYKsy7o1rTqV/tOlHH882szP61pjfy/+nU//O/9NVHtKM4MhWseJpO3RrUYfeaSv5E7wRP3H9EX8lhDZD/QY5+4cvF5K+l79AKZr4VVuj1RnDjRKTunwNLsofGEaI2/mfR/orN4mU0eY5JmjuvcIf72ridzckX4AW26FtSuT0W075zm03xkP0PTjM26T3umMbzT2W7Jteua0dXSb1KZdI3W1/J3ql4OUmQ5kjSjS0tN9muLyC+lYek5IjSi+/uIWQFdr+BjV8ibNF4ug0X6DHioujsUegW7RIwclX6kEKMw8JQLIsacwWm1Ulr3cN4oLeHMnk+TUV1JvorzpIuB2HQjm6O4830+JKgsutfi91oC0qLDQkkHBmYZBcOwKfrIz/VyGLRzVMKoV43+qpEjKUdgRBRdmq8RNHdq+yzRIuAr8nGGmw8m/WoiveDrkrRHmRN6BUllwZc8WXSvxe+1BLyWIFsIyg9EqrR3CRpatH2OFzSg3ObKcg44beB/nDwWRwacvGsZFXCmu5bR+S5BhD9oJwjoEvRVbX6PLZg+ItOFNE5WsiGCJjV2LzQEDE60/KRPM47Iqri8zvkaZ3+983SPcwCpiTwdM0yeWneYp7ZqlhrI3lnNk7L6vdZewWt/QGTyWucAisnvHEe/gRwxOJIbz9IuPbmBgsJuIdBerjXJziwPhvaWhjZOs/q7ID1+kU/DPyc96O/qT0Me+DeqZ9vXUokuTWpJ3USaRnFmaDNJjZ5rAgEZ+rkD1rg/XClAmLKEHBHK5Ch1Q8Y+R5CWTQUGyp0Dmt42ckikew8baSrot4I7E+1IilY6+tNHCPe0cM50WagT3ADvqu15tub3sYhcps14Rpgncj1a2yVbnTn49uuZrE3tZcQegRYha7fA3ArqRoKtrZN9Wq/GfYel26Ph2IafdrAuHzXsMfA6ln4MexyK/o8DlnEOVQVf1CwYpqwlmqyrlpbN0Q/XE11L0ZfKzPKjeKlR4Y+xyBj0dbH74VLmdLsDtNmd+HVOIqmwd2Egx8CZLuC3JzCyykUCdhf7zPNvATlC2kGthcSTOG+Vf0iiTkEuhOwSC4yobhfJW0x3blFQPFTU012hHCVnpAL9hxE3wvZECFKHYTqPkTcrkJukeGg/TTGKWmg/C2NX/+ydCpH3hDjcDdFzN3HALPrTecvMrqcC8HVk2sbflJtMbqmg7jyhqEwZllE8xQr0o1yz9hSklrOCSSPXAFfTMoszrKDzWjVx1ynfuQMHChOtjYIYQelIiqe7FFtB+3mmPNx7K0rM2QKyWhEqZIWcv8JGRZ0vdBm60+aTJNdwQkS5u89lAoWb4fOGW/wx4eyacOe44cYbVkB6OafqJexcBss08IhzpPzcVPWzSYi7394VYk2+lJ1yHcnYuyHt3SFQO+HxHKo+rdRuB7Q5KE23LskwZmY9dU2+moBUn7rpww7RTCyfMkNGqJrqplB2biwk/Ez9tdmF+rJMY31Kxu3cg7zU0iSwKl3Uk+1hMHEd0WLMOAeJdcQKuXzczJR73ByG4jlqAyJhu4SQHoc090Wny3pa3oOwDudxpLEnmqQO52WP+S2P+UPXvBbVSYZs0F308Co6rorO5qYrRw2B0UlNGOtFXdfq5Q5oQGMhGbuT59xeBK+j6uTLzUCDtwChWvoXyXaPv4f3Hwf94AboB4aem4mIzhXYPcAaneMpJp0bQeEq2qxLVZtUngVF5IiqenIkG/eG8agqenTVeAyMTLJ/7XHKbPTNZ6Uu1wPzPJgFFZSQsSy3DwIey3HsC+PCqvF41oEgU8RBjVKwkpqzHNknLhlJ32ATdWw6up62MUlf7jDwLOnP7YcMwUco6U8GcocCtgLl/VGm1O1GQrlDmLuyjT5N5reBNG2Sk3X0pw9m8GsfCNEaAYfQUIdClLNR+TN3Mq6xoGeEzaZBlMGBdP5FX2h0PaVTS0xZyNgHgR70RWx3LoMMHAzr5bCirWJrF3S+m4m+COtCR3q1GZ1UWz9yE7EPhawPLO30t51KrDgYHfGR5martiOGNaaHKhehG94D7X64GEynggN7h+3D0NoGQpULoQF5W0qNm8ai4Y/kdX/EzB0E5lHXL0gxRNdMbVJQ9oHEVS0xRluK/hh1h+Rai4J2okxjyqhf5zZpc6KWPFijhkjAb1ZIAQwcYVZOYikQOtoDGo9tLMHgT0OM9WyXv0g8b87tAjIPGi2+s9oahaG7HSqCMBfaMeoT5nYubWFOcwELc0hElPdlixS1p1zjur/9MURVQDnqlaNkSRwuS8LrHJHOhj1bcId1tSDLWhx98hxumvyBdNo+AsqZaR+J/ruCimAfBbFL+50rIOpcPUnvMDKxAagbVN0iXv18oKlzGJ9EegjlMRI6iaGVZgndHf8OO0xrQtm0TjY16KzEdct5giLwixigiPrLx7A8hTvTqcCWY8mXYRNpkXTuOOQ25gT9lCB8UjGyC9esqLMn4WY1Hr2Cum8mdTuKsko6x5N7qOoe6nJuUjHpzlsI7GwHAMlrznLX0JFx/AFtxaZ0OpubghQxQMvnqIvJx8OF7jArM6y5xJxdAjXRy+RDdsy1hEy2UMKHBNyE7wog4WhwSMJW8GMSZlfurf+5hLNBl3eWHONhNiI8QguLOmNqf+D2SLMykUTAmRJUHflI3Z/bHxqcWRibjQg1S9TSaN4SyfgTgaQPkmFEnP0ooLFuuuolOE2jYJqsknU5nybngPPlIEq+OgThUvB7SiEYSGfq8x8LFWPOQ9V8OC8rcyjXzO1KIe3SE7afInXDjqDz8hvainCVmjA67nAO7l3I99nMCU3lhWpXmOs41a6doqujGOhM54NMQ5RVOZMTj5n2Mz6ouYWEjDocYoJCYR4Jdm1tGyxTtTM69D5SigMd/r7b8An03YFPsO8ufBKBvi/yN9j3Zf4afTejcULghSLw10Tgb4rAj4jA35KBvy4Df1sGfpBbtlbq3y7FgN5t1y5EnmNVc75ZmG9C+2S2fxoTDsH289HPCgdim9Ezk2DZs9pQFkqotPNRNRdAQLr/Ab2MBzMrSbvwxUL2QjhSJxuJ62GD263CNL2CTjzE3UFYtO3OOCo0gThncvk1qpam+y4oZPYJKpVUID+HNE1OhPQpH8dOOrwVlPFPrY/MClZj86ZtyZHzQDvFx8OuuwaarACPuzAOKJiWbACdshtjtQn0RiVHjyZH07ttcPv2LS3EK3OYuLz820MOCKpsSoV0K1TLKHJmakMeVklMZC9UzV4XObiciuaPMOv5FNYtVQ67Do0pXM8olbYspoEDTcWo9HB5Yz7JMPWMkrDkVJc261Axdfhd+iPSNBrPaE1KL6Q/yoFmEbaM/tIe/B2f8H+gXsUh36MJT/5P5Ntf5X5UNyVzJgui/Uyz6eG8v8ous8ots8tf5Xssf3ioju8e6a+PZQjP/d6KEU4FBg4MCabfPZAOCaYHrSAxPSgFyhNKctd5yE2jqnuLrkDOIVyszd8i2If5na/7oFFRm+hnkYwMjOh0Gky3uwZt6ZSx5XPopIvJIU5SGf0y8hevmqP5UYI2gymhPgMaZTGkG7lpbuOpVxbK7nsRKzmhrn+2AONmOJMpn0ihy6THRToymdZM+WQUxincXIhwDyK+mcL8gBD/fSgbnIEqWvUraC6fiihMC9K7GBUhYJ/GzY3w+EUQ02gFs/bp3J5k7TPcBhOEFg6wgiPsJdJtqet2C9zyMrL+p9BWF7Od/d8nw6BBURnlM5GTtXCxl3Hw
	$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
	$UncompressedFileBytes = New-Object Byte[](751616)
	$DeflatedStream.Read($UncompressedFileBytes, 0, 751616) | Out-Null
	$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
	$BindingFlags = [Reflection.BindingFlags] "Public,Static"
	$a = @()
	$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
	$Assembly.GetType("Sharphound2.Sharphound").GetMethod("InvokeBloodHound").Invoke($Null, @(,$passed))
}