514 lines
950 KiB
PowerShell
514 lines
950 KiB
PowerShell
|
function Invoke-BloodHound{
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
|
||
|
|
Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.
|
||
|
|
|
||
|
|
.DESCRIPTION
|
||
|
|
|
||
|
|
Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
|
||
|
|
and run it without touching disk. Parameters are converted to the equivalent CLI arguments
|
||
|
|
for the SharpHound executable and passed in via reflection. The appropriate function
|
||
|
|
calls are made in order to ensure that assembly dependencies are loaded properly.
|
||
|
|
|
||
|
|
.PARAMETER CollectionMethod
|
||
|
|
|
||
|
|
Specifies the CollectionMethod being used. Possible value are:
|
||
|
|
Group - Collect group membership information
|
||
|
|
LocalGroup - Collect local group information for computers
|
||
|
|
LocalAdmin - Collect local admin users for computers
|
||
|
|
RDP - Collect remote desktop users for computers
|
||
|
|
DCOM - Collect distributed COM users for computers
|
||
|
|
PSRemote - Collected members of the Remote Management Users group for computers
|
||
|
|
Session - Collect session information for computers
|
||
|
|
SessionLoop - Continuously collect session information until killed
|
||
|
|
Trusts - Enumerate domain trust data
|
||
|
|
ACL - Collect ACL (Access Control List) data
|
||
|
|
Container - Collect GPO/OU Data
|
||
|
|
ComputerOnly - Collects Local Admin and Session data
|
||
|
|
GPOLocalGroup - Collects Local Admin information using GPO (Group Policy Objects)
|
||
|
|
LoggedOn - Collects session information using privileged methods (needs admin!)
|
||
|
|
ObjectProps - Collects node property information for users and computers
|
||
|
|
SPNTargets - Collects SPN targets (currently only MSSQL)
|
||
|
|
Default - Collects Group Membership, Local Admin, Sessions, and Domain Trusts
|
||
|
|
DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
|
||
|
|
All - Collect all data except GPOLocalGroup
|
||
|
|
|
||
|
|
This can be a list of comma seperated valued as well to run multiple collection methods!
|
||
|
|
|
||
|
|
.PARAMETER Stealth
|
||
|
|
|
||
|
|
Use stealth collection options, will sacrifice data quality in favor of much reduced
|
||
|
|
network impact
|
||
|
|
|
||
|
|
.PARAMETER Domain
|
||
|
|
|
||
|
|
Specifies the domain to enumerate. If not specified, will enumerate the current
|
||
|
|
domain your user context specifies.
|
||
|
|
|
||
|
|
.PARAMETER WindowsOnly
|
||
|
|
|
||
|
|
Limits computer collection to systems that have an operatingssytem attribute that matches *Windows*
|
||
|
|
|
||
|
|
.PARAMETER ComputerFile
|
||
|
|
|
||
|
|
A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
|
||
|
|
Session, SessionLoop, LocalGroup, ComputerOnly, LoggedOn
|
||
|
|
|
||
|
|
.PARAMETER LdapFilter
|
||
|
|
|
||
|
|
Append this ldap filter to the search filter to further filter the results enumerated
|
||
|
|
|
||
|
|
.PARAMETER SearchBase
|
||
|
|
|
||
|
|
DistinguishedName to start LDAP searches at. Equivalent to the old --OU option
|
||
|
|
|
||
|
|
.PARAMETER OutputDirectory
|
||
|
|
|
||
|
|
Folder to output files too
|
||
|
|
|
||
|
|
.PARAMETER OutputPrefix
|
||
|
|
|
||
|
|
Prefix to add to output files
|
||
|
|
|
||
|
|
|
||
|
|
.PARAMETER PrettyJSON
|
||
|
|
|
||
|
|
Output "pretty" json with formatting for readability
|
||
|
|
|
||
|
|
.PARAMETER CacheFilename
|
||
|
|
|
||
|
|
Name for the cache file dropped to disk (default: unique hash generated per machine)
|
||
|
|
|
||
|
|
.PARAMETER RandomFilenames
|
||
|
|
|
||
|
|
Randomize file names completely
|
||
|
|
|
||
|
|
.PARAMETER ZipFilename
|
||
|
|
|
||
|
|
Name for the zip file output by data collection
|
||
|
|
|
||
|
|
.PARAMETER NoSaveCache
|
||
|
|
|
||
|
|
Don't write the cache file to disk. Caching will still be performed in memory.
|
||
|
|
|
||
|
|
.PARAMETER EncryptZip
|
||
|
|
|
||
|
|
Encrypt the zip file with a random password
|
||
|
|
|
||
|
|
.PARAMETER NoZip
|
||
|
|
|
||
|
|
Do NOT zip the json files
|
||
|
|
|
||
|
|
.PARAMETER InvalidateCache
|
||
|
|
|
||
|
|
Invalidate and rebuild the cache file
|
||
|
|
|
||
|
|
.PARAMETER LdapFilter
|
||
|
|
|
||
|
|
Append this ldap filter to the search filter to further filter the results enumerated
|
||
|
|
|
||
|
|
.PARAMETER DomainController
|
||
|
|
|
||
|
|
Domain Controller to connect too. Specifiying this can result in data loss
|
||
|
|
|
||
|
|
.PARAMETER LdapPort
|
||
|
|
|
||
|
|
Port LDAP is running on. Defaults to 389/686 for LDAPS
|
||
|
|
|
||
|
|
.PARAMETER SecureLDAP
|
||
|
|
|
||
|
|
Connect to LDAPS (LDAP SSL) instead of regular LDAP
|
||
|
|
|
||
|
|
.PARAMETER DisableKerberosSigning
|
||
|
|
|
||
|
|
Disables keberos signing/sealing, making LDAP traffic viewable
|
||
|
|
|
||
|
|
.PARAMETER LdapUsername
|
||
|
|
|
||
|
|
Username for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
|
||
|
|
|
||
|
|
.PARAMETER LdapPassword
|
||
|
|
|
||
|
|
Password for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
|
||
|
|
|
||
|
|
.PARAMETER SkipPortScan
|
||
|
|
|
||
|
|
Skip SMB port checks when connecting to computers
|
||
|
|
|
||
|
|
.PARAMETER PortScanTimeout
|
||
|
|
|
||
|
|
Timeout for SMB port checks
|
||
|
|
|
||
|
|
.PARAMETER ExcludeDomainControllers
|
||
|
|
|
||
|
|
Exclude domain controllers from enumeration (usefult o avoid Microsoft ATP/ATA)
|
||
|
|
|
||
|
|
.PARAMETER Throttle
|
||
|
|
|
||
|
|
Throttle requests to computers (in milliseconds)
|
||
|
|
|
||
|
|
.PARAMETER Jitter
|
||
|
|
|
||
|
|
Add jitter to throttle
|
||
|
|
|
||
|
|
.PARAMETER OverrideUserName
|
||
|
|
|
||
|
|
Override username to filter for NetSessionEnum
|
||
|
|
|
||
|
|
.PARAMETER NoRegistryLoggedOn
|
||
|
|
|
||
|
|
Disable remote registry check in LoggedOn collection
|
||
|
|
|
||
|
|
.PARAMETER DumpComputerStatus
|
||
|
|
|
||
|
|
Dumps error codes from attempts to connect to computers
|
||
|
|
|
||
|
|
.PARAMETER RealDNSName
|
||
|
|
|
||
|
|
Overrides the DNS name used for API calls
|
||
|
|
|
||
|
|
.PARAMETER CollectAllProperties
|
||
|
|
|
||
|
|
Collect all string LDAP properties on objects
|
||
|
|
|
||
|
|
.PARAMETER StatusInterval
|
||
|
|
|
||
|
|
Interval for displaying status in milliseconds
|
||
|
|
|
||
|
|
.PARAMETER Loop
|
||
|
|
|
||
|
|
Perform looping for computer collection
|
||
|
|
|
||
|
|
.PARAMETER LoopDuration
|
||
|
|
|
||
|
|
Duration to perform looping (Default 02:00:00)
|
||
|
|
|
||
|
|
.PARAMETER LoopInterval
|
||
|
|
|
||
|
|
Interval to sleep between loops (Default 00:05:00)
|
||
|
|
|
||
|
|
.EXAMPLE
|
||
|
|
|
||
|
|
PS C:\> Invoke-BloodHound
|
||
|
|
|
||
|
|
Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
|
||
|
|
and then removes the JSON files from disk
|
||
|
|
|
||
|
|
.EXAMPLE
|
||
|
|
|
||
|
|
PS C:\> Invoke-BloodHound -Loop -LoopInterval 00:01:00 -LoopDuration 00:10:00
|
||
|
|
|
||
|
|
Executes session collection in a loop. Will wait 1 minute after each run to continue collection
|
||
|
|
and will continue running for 10 minutes after which the script will exit
|
||
|
|
|
||
|
|
.EXAMPLE
|
||
|
|
|
||
|
|
PS C:\> Invoke-BloodHound -CollectionMethod All
|
||
|
|
|
||
|
|
Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
|
||
|
|
and then removes the JSON files from disk
|
||
|
|
|
||
|
|
.EXAMPLE (Opsec!)
|
||
|
|
|
||
|
|
PS C:\> Invoke-BloodHound -CollectionMethod DCOnly --NoSaveCache --RandomFilenames --EncryptZip
|
||
|
|
|
||
|
|
Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk.
|
||
|
|
Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
|
||
|
|
#>
|
||
|
|
|
||
|
|
param(
|
||
|
|
[String[]]
|
||
|
|
$CollectionMethod = [string[]] @('Default'),
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$Stealth,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$Domain,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$WindowsOnly,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$ComputerFile,
|
||
|
|
|
||
|
|
[ValidateScript({ Test-Path -Path $_ })]
|
||
|
|
[String]
|
||
|
|
$OutputDirectory = $(Get-Location),
|
||
|
|
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[String]
|
||
|
|
$OutputPrefix,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$PrettyJson,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$CacheFileName,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$RandomizeFilenames,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$ZipFilename,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$NoSaveCache,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$EncryptZip,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$InvalidateCache,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$LdapFilter,
|
||
|
|
|
||
|
|
[string]
|
||
|
|
$DomainController,
|
||
|
|
|
||
|
|
[int]
|
||
|
|
$LdapPort,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$SecureLdap,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$DisableKerbSigning,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$LdapUsername,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$LdapPassword,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$SkipPortScan,
|
||
|
|
|
||
|
|
[ValidateRange(50,5000)]
|
||
|
|
[int]
|
||
|
|
$PortScanTimeout = 2000,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$ExcludeDomainControllers,
|
||
|
|
|
||
|
|
[ValidateRange(0,100)]
|
||
|
|
[int]
|
||
|
|
$Jitter,
|
||
|
|
|
||
|
|
[int]
|
||
|
|
$Throttle,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$OverrideUsername,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$NoRegistryLoggedOn,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$DumpComputerStatus,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$RealDNSName,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$CollectAllProperties,
|
||
|
|
|
||
|
|
[ValidateRange(500,60000)]
|
||
|
|
[int]
|
||
|
|
$StatusInterval,
|
||
|
|
|
||
|
|
[Switch]
|
||
|
|
$Loop,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$LoopDuration,
|
||
|
|
|
||
|
|
[String]
|
||
|
|
$LoopInterval
|
||
|
|
|
||
|
|
)
|
||
|
|
|
||
|
|
$vars = New-Object System.Collections.Generic.List[System.Object]
|
||
|
|
|
||
|
|
$vars.Add("-c")
|
||
|
|
foreach ($cmethod in $CollectionMethod){
|
||
|
|
$vars.Add($cmethod);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($Domain){
|
||
|
|
$vars.Add("--Domain");
|
||
|
|
$vars.Add($Domain);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($Stealth){
|
||
|
|
$vars.Add("--Stealth")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($WindowsOnly){
|
||
|
|
$vars.Add("--WindowsOnly")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($ComputerFile){
|
||
|
|
$vars.Add("--ComputerFile");
|
||
|
|
$vars.Add($ComputerFile);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($OutputDirectory){
|
||
|
|
$vars.Add("--OutputDirectory");
|
||
|
|
$vars.Add($OutputDirectory);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($OutputPrefix){
|
||
|
|
$vars.Add("--OutputPrefix");
|
||
|
|
$vars.Add($OutputPrefix);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($PrettyJson){
|
||
|
|
$vars.Add("--PrettyJson");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($CacheFileName){
|
||
|
|
$vars.Add("--CacheFileName");
|
||
|
|
$vars.Add($CacheFileName);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($RandomFilenames){
|
||
|
|
$vars.Add("--RandomizeFilenames");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($ZipFileName){
|
||
|
|
$vars.Add("--ZipFileName");
|
||
|
|
$vars.Add($ZipFileName);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($NoSaveCache){
|
||
|
|
$vars.Add("--NoSaveCache");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($EncryptZip){
|
||
|
|
$vars.Add("--EncryptZip");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($NoZip){
|
||
|
|
$vars.Add("--NoZip");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($InvalidateCache){
|
||
|
|
$vars.Add("--InvalidateCache");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LdapFilter){
|
||
|
|
$vars.Add("--LdapFilter");
|
||
|
|
$vars.Add($LdapFilter);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($DomainController){
|
||
|
|
$vars.Add("--DomainController");
|
||
|
|
$vars.Add($DomainController);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LdapPort){
|
||
|
|
$vars.Add("--LdapPort");
|
||
|
|
$vars.Add($LdapPort);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($SecureLdap){
|
||
|
|
$vars.Add("--SecureLdap");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($DisableKerberosSigning){
|
||
|
|
$vars.Add("--DisableKerberosSigning");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LdapUsername){
|
||
|
|
$vars.Add("--LdapUsername");
|
||
|
|
$vars.Add($LdapUsername);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LdapPassword){
|
||
|
|
$vars.Add("--LdapPassword");
|
||
|
|
$vars.Add($LdapPassword);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($SkipPortScan){
|
||
|
|
$vars.Add("--SkipPortScan");
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($PortScanTimeout){
|
||
|
|
$vars.Add("--PortScanTimeout")
|
||
|
|
$vars.Add($PortScanTimeout)
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
if ($ExcludeDomainControllers){
|
||
|
|
$vars.Add("--ExcludeDomainControllers")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($Throttle){
|
||
|
|
$vars.Add("--Throttle");
|
||
|
|
$vars.Add($Throttle);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($Jitter){
|
||
|
|
$vars.Add("--Jitter");
|
||
|
|
$vars.Add($Jitter);
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($OverrideUserName){
|
||
|
|
$vars.Add("--OverrideUserName")
|
||
|
|
$vars.Add($OverrideUsername)
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($NoRegistryLoggedOn){
|
||
|
|
$vars.Add("--NoRegistryLoggedOn")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($DumpComputerStatus){
|
||
|
|
$vars.Add("--DumpComputerStatus")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($RealDNSName){
|
||
|
|
$vars.Add("--RealDNSName")
|
||
|
|
$vars.Add($RealDNSName)
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($CollectAllProperties){
|
||
|
|
$vars.Add("--CollectAllProperties")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($StatusInterval){
|
||
|
|
$vars.Add("--StatusInterval")
|
||
|
|
$vars.Add($StatusInterval)
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($Loop){
|
||
|
|
$vars.Add("--Loop")
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LoopDuration){
|
||
|
|
$vars.Add("--LoopDuration")
|
||
|
|
$vars.Add($LoopDuration)
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($LoopInterval){
|
||
|
|
$vars.Add("--LoopInterval")
|
||
|
|
$vars.Add($LoopInterval)
|
||
|
|
}
|
||
|
|
|
||
|
|
$passed = [string[]]$vars.ToArray()
|
||
|
|
|
||
|
|
|
||
|
|
$EncodedCompressedFile = '5P0JmFTF9QaM367uvr3Ocrub7llwZlBmuEx3D5vADKNsiiugiAuCirhEweVqN8RgT4+owbiB+4Y77lHjviRqjCZqjJqYGE2MMtFsRo0aTTQxy/Cd91TdbRjQ5Jf///me5+Nh+la9VffUqVOnqk6td97iC7Wgpmkh+tu8WdMe1eS/mdoX/1tDf7Wt36nVHoy9NOrRwNyXRu1/7PJy20kl65jSshPajlx24onWyrYjjm4rrTqxbfmJbbvus7DtBOuoo7tqauKjFY1952ja3EBQaz3tqV/bdN/SRCARGK9pVyY1rUliHz5M7jY7xkzpFpJv/NMdrmoYx7+gdvhaTavn/+7TefC/S4nuQXB8L6lFc8Nk8q2kRilrf34oqXV/CZk4/4i/qMcbJf8eHn/XyqO/tpKef71c5Qt5FVuQOLyrVC4difdzkketgZ4bkr54M+l/V+no4y2KmFQ8M637t4g3eyibLz8s44A3oYW1R1MJrfumAMlOaF8nsYZmB7Q1L8e+dLabzJ8KTe9sMkmp6NFP5RLqbBFr+HlgmR66GcIPwq06RDpXmGFNi4tsKaBpJ5kphFK8eDlCP9UwXpwmKvRSKBiySKbxzvmiEoDXIr7iISuuMOHBEgoLerAksOkOKVKUeEfnfn5atTboJVbH4HRFLWTVs19rHh/URtPL9N8wH0J+XqWfwk6ibIBzUBDlFJwBdqbhDLIzAyf4KNUhzyPIa2bBnjCJuB7XTSrvePE/I3Wkn5QmKhCe1QBudbORHolcmepTPGI1IxaRynNhlJ7AmygRloW1HULZi4StFvIukn4kabW6fqRrtcF/PvEdMEfhTYeFgaRiYXvyvNkZqIeOXaqdmQuw0qXHC20c650tv+fpp71Y38FKUBoVIK6gCXEZ+n360c0dOG/N40PaURrquP3uTyD7QKfMIXNnUiMTt9pBQIo14ZVIpKEhW+4gVzKqZ/X1y60x4DgbLehRywS/ft5Hgs+ZWs08La4xz51a8SBZ3aAHJ2vcFhltlJk1bVAJcywS1kt5ykXW6oT0I8WsmQd30zmfekfpOApMDvRESieQwypQ2KoY5IgIyYFRekHXJTMdw76oRYmuJnmr16bPl7zh36JFWg6q2SIqEdSg7UWwGpF1sRK1gagEuPp1ynwsoXfJa4RW0m9zuYg8WF1gPt8escZBXHpKmOMh2Qn0Q+6JYGwSgB1ZtyZDc18ZiEcKekQyrwez64jHgDWFE5J6kNIm7CL5bR4fRluDNtwImlMpTphTR0ZZveNWN8j3MBt7R6xpYKM8IqDpNVGrlzy5dZROoD3besi11k7kT4diRii7waqnKOTKbbBqyaXHotbOIERllLdmuMze7WNW6eko7aCvSf52e5lak2aTms940JqFLJDMZstnJW4LM66kG8NzipBtR5V9B6oWLmhS1dFFyNwO7R7pf1C7mVohKhdD9FyGjst8TqD2t60/+ZMzZmeJT70t+qPKlNl/h3jadquuLk4+Xm9rO3V1fnKH3vZo77J472NoU9tennKK2bs8CidCe39HaPfsGvgfqKwuTG7W20bufEqhd0PUhnpfQ5RWjnLP9FOKvSuidhq9fQgKcdCrs04ZN3m63vZ6/+ouUJk985Su3k6OCqj3K4j6ehL+k56odPUeE7Hf6v2InN3f5aD1u50yEW8Hn6yM6x0XsaHeyUSo+2qOMmqPUyb11kftLPeeB8JrOKjm1crOs1lD2p64aPU0sNN54eoeELz6hcrU3r1ZBIB6s3hrL37rqR9XenoX6/ZbvfUIGsdB7/y00ou393+5Mq13mW5DvbMQJclRTn2lslPvSbqdfO++CPo4Af/lTx2zHDxccEhgT1B5/MeH7N57KRcWoN4MFXb3sxw1ceTAUb03Cfut3qfJ2X0nBx174idr8PbY7x+zovdJYUO9zyPK2Rzln9Ynp/eeykFQiN45CDqBg75eu+4KpRV/Cqy7AFpxwupPvgGtGFX+5MzePwcQ9KtTPjmrN4G2kEN73weBAhN4dvD8dUh+0r/PP793p6AN9S4hZ3eMoxysrVvfOyVop9H7C7z9YRz+H4w/6xKIYMK4sy4GlVR43UW9bzOngHpPQNTvc9Rb9HUX994n7Ld6d0bQ7Rz03qSzLsPbB00869LeemFDzHz3Wo5SnXzW5b0vBOws9/4Bb6/goMff+vzHSis6iitvAzta58pbQDBXv+7K3luZIKDed6hp7t6R37okv/LW3j+F7Ld6P0NQIwflu1d+C29fOWXl3b1/CdlQ778R5bMY/N994/Jv914WtpPv3Qx23uCgp97//FXwEH3n85+Byj6/+fwnvX+VVZig3ssQ9V6OevUfP3+ld4Ow3+q9GUGXcdA7H37+C9bMDz5/rbdW2FBvA6KUOMqpf/78l73bcVDNJ5+/3jsGQQdRkCitRY+5CzU103To4GwGL3LAIMAigzc6IJr77gYG73ZAznKQwScc8B8AP4wCfN4B/wbwdQZfd8C/AvwBg+864McA72HwUwf8EOAGBsPCBt8HuJbBEQ74R4AnMdjugL8HuITByQ74G4C7MTjHAX8NcAKDCxzwTYAjGTzUAV8HGGHwBAd8DeAnEYBVB3wF4CYG1zngywB/yOC1DvgSwAcYvNsBfwTwOgafcMDnAJ7D4EsO+AOAKxnc5IBPAVzK4EcO+F2AezFIoyoFPgZwMoNpB3wUYBuD7Q74EMAEg1Md8H7Wfx3gng54D8C3GVzigHcBfJHBExzwDoCPMHiaA94KcCODFzngTQDXMXibA94A8GsMPuWA1wI8ksE3HHADwPkMfuqAVwDsYbAuZIOXAhzN4FgHvAhgHYO7OOB6gP8Is4Y44HkAf8/gKQ54NsCXGbzIAdcCfIzBOx3wDIC3MviMA54G8CIGf+2AfQD7GPzcAVcDPIbBdNgGvwpwPwaLDlgGuDODuzvgSQBNBpc54AkA0wxWHHAFwMEQwMsc8BiA7zJ4jwMuA/hzBp93wCUAn2Twtw54AMBvMvhvB9wH4GUM5nQb3BPgGgYnOOAuAI9jcG8H3BnggQwe7YBTAc6in2DpNAKzZRql6Au6JzJyrQdpY+ROD1LLyAuENCjkX0Egmzxx3mPk3544v2QkFnGRZxlpj7hvPcjInh5kIyNHe966kJHTCckppJ+ROz3I8Yy86nlrMSMfeSjvwUhj1EWmMDIp6r41mpFZHiTFyAIPojFyqAf5UABZ5UHeZGStB/kRI1d5kEcZucWD3MrI2x4OL2VksyfOGYyMibnISYzs7kEOY6TsQebKtDzItC0Qk5EXYm7qWTFUYqEtkE8CQH7vofMWI4G4i/yYkVYP8jgjeQ/yTUZ6PMiVjCzwIGcxssqDrGTkCg9yBCOPeJB9GXndg0xn5GMPUmBkasJFmhhZ5kGijNzoQT7DeLv0aw/yO0bSSRf5GSMzPMj3GFnrQb7FyDMe5BpGPvYg5zISrnGQfCVYmuzxHh8sHezxHkrK5vHOD5Ze8nhnBEt/83jHU62sdb2jgqWFHm8qWLra4w0GMwuC+2YGgxjlmbvKoTKNWYU2T+M5PkNYczCq3A0/u2O4mm/RrT3sEXIiwhMiIoLpCJ3duhx2/mrA0FflaOCadCcdeDzP409D6+ylHzVPshc9Y05aQWsvEBCZTtu/N/2+zFMHGKZac3nuYT1i6NkNPKeQiBSiEWueei/SKfOwmujGHbqlFyjjknYokxxYNhDuoMdizRvKKSXtAbFMScab6CaIcEowFGFEi2TL8xF5H/xgXJyUb6j5C1POWTQ0aOFJPJ3Wom0/UwvvyO7DtExJ4pADjd+1xFA5RLLrkMNtCWMVDWab4zrz16lkSv0EJnCM8r7Ig5+ibi1ASfso+jO9qo7zqIQJeqQAmH3edhkNkdzWRIbyAc1TiGbtcOWTUcivHcRJyY1ViAiznbSuc2jkwmjBHpNEr5f3AycpbTA7BZM0E+xC6szIfN1DPNSBB0xp6RDiyE4ysezXCyLbqad47k8vRCLWSCQ4MklmZR3FgNLXxAoNsdIudapvLtD7MUwb6cn8nqJ0EPAO8qVDRqgYGpnM72iESladnJLM
|
||
|
|
$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
|
||
|
|
$UncompressedFileBytes = New-Object Byte[](832512)
|
||
|
|
$DeflatedStream.Read($UncompressedFileBytes, 0, 832512) | Out-Null
|
||
|
|
$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
|
||
|
|
$BindingFlags = [Reflection.BindingFlags] "Public,Static"
|
||
|
|
$a = @()
|
||
|
|
$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
|
||
|
|
$Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
|
||
|
|
}
|
||
|
|
|