HackingScripts/win/SharpHound.ps1

function Invoke-BloodHound
{
    <#
    .SYNOPSIS

        Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.

    .DESCRIPTION

        Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
        and run it without touching disk. Parameters are converted to the equivalent CLI arguments
        for the SharpHound executable and passed in via reflection. The appropriate function
        calls are made in order to ensure that assembly dependencies are loaded properly.

    .PARAMETER CollectionMethods

        Specifies the CollectionMethods being used. Possible value are:
            Group - Collect group membership information
            LocalGroup - Collect local group information for computers
            LocalAdmin - Collect local admin users for computers
            RDP - Collect remote desktop users for computers
            DCOM - Collect distributed COM users for computers
            PSRemote - Collected members of the Remote Management Users group for computers
            Session - Collect session information for computers
            Trusts - Enumerate domain trust data
            ACL - Collect ACL (Access Control List) data
            Container - Collect GPO/OU Data
            ComputerOnly - Collects Local Group and Session data
            GPOLocalGroup - Collects Local Group information using GPO (Group Policy Objects)
            LoggedOn - Collects session information using privileged methods (needs admin!)
            ObjectProps - Collects node property information for users and computers
            SPNTargets - Collects SPN targets (currently only MSSQL)
            Default - Collects Group Membership, Local Admin, Sessions, Containers, ACLs and Domain Trusts
            DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
            CARegistry - Collect ADCS properties from registry of Certificate Authority servers
            DCRegistry - Collect properties from registry of Domain Controller servers
            CertServices - Collect ADCS properties from Certificate Services
            All - Collect all data

        This can be a list of comma separated valued as well to run multiple collection methods!
        
    .PARAMETER Domain
    
        Specifies the domain to enumerate. If not specified, will enumerate the current
        domain your user context specifies.

    .PARAMETER SearchForest
            
        Search all trusted domains in the forest. 

    .PARAMETER Stealth

        Use stealth collection options, will sacrifice data quality in favor of much reduced
        network impact

    .PARAMETER LdapFilter
    
        Append this ldap filter to the search filter to further filter the results enumerated
            
    .PARAMETER DistinguishedName
    
        DistinguishedName to start LDAP searches at. Equivalent to the old -Ou option
            
    .PARAMETER ComputerFile
    
        A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
        Session, Session, LocalGroup, ComputerOnly, LoggedOn
            
    .PARAMETER OutputDirectory
    
        Folder to output files too
    
    .PARAMETER OutputPrefix

        Prefix to add to output files
        
    .PARAMETER CacheName
    
        Name for the cache file dropped to disk (default: unique hash generated per machine)
            
    .PARAMETER MemCache
    
        Don't write the cache file to disk. Caching will still be performed in memory.
            
    .PARAMETER RebuildCache
    
        Invalidate and rebuild the cache file
            
    .PARAMETER RandomFileNames
    
        Randomize file names completely
            
    .PARAMETER ZipFilename
    
        Name for the zip file output by data collection
            
    .PARAMETER NoZip
    
        Do NOT zip the json files
            
    .PARAMETER ZipPassword
    
        Encrypt the zip file with the specified password
            
    .PARAMETER TrackComputerCalls
    
        Write a CSV file with the results of each computer API call to disk
            
    .PARAMETER PrettyPrint
    
        Output "pretty" json with formatting for readability

    
    .PARAMETER LdapUsername
    
        Username for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    
    .PARAMETER LdapPassword

        Password for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    

    .PARAMETER DomainController

        Domain Controller to connect too. Specifiying this can result in data loss

    .PARAMETER LdapPort

        Port LDAP is running on. Defaults to 389/686 for LDAPS

    .PARAMETER SecureLDAP

        Connect to LDAPS (LDAP SSL) instead of regular LDAP
        
    .PARAMETER DisableCertVerification
        
        Disable certificate verification for secure LDAP

    .PARAMETER DisableSigning

        Disables keberos signing/sealing, making LDAP traffic viewable

    .PARAMETER SkipPortCheck

        Skip SMB port checks when connecting to computers
        
    .PARAMETER PortScanTimeout
    
        Timeout for port checks
        
    .PARAMETER SkipPasswordCheck
    
        Skip checking of PwdLastSet time for computer scanning
        
    .PARAMETER ExcludeDCs
    
        Exclude domain controllers from enumeration (usefult o avoid Microsoft ATP/ATA)

    .PARAMETER Throttle

        Throttle requests to computers (in milliseconds)

    .PARAMETER Jitter

        Add jitter to throttle
        
    .PARAMETER Threads
    
        Number of threads to run enumeration with (Default: 50)
        
    .PARAMETER SkipRegistryLoggedOn
    
        Disable remote registry check in LoggedOn collection
        
    .PARAMETER OverrideUserName

        Override username to filter for NetSessionEnum

    .PARAMETER RealDNSName

        Overrides the DNS name used for API calls

    .PARAMETER CollectAllProperties

        Collect all string LDAP properties on objects
        
    .PARAMETER Loop
    
        Perform looping for computer collection
    
    .PARAMETER LoopDuration

        Duration to perform looping (Default 02:00:00)

    .PARAMETER LoopInterval

        Interval to sleep between loops (Default 00:05:00)

    .PARAMETER StatusInterval

        Interval for displaying status in milliseconds

    .PARAMETER Verbosity

        Change verbosity of output. Default 2 (lower is more)

    .PARAMETER Help

        Display this help screen

    .PARAMETER Version

        Display version information

    .EXAMPLE

        PS C:\> Invoke-BloodHound

        Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
        and then removes the JSON files from disk

    .EXAMPLE

        PS C:\> Invoke-BloodHound -Loop -LoopInterval 00:01:00 -LoopDuration 00:10:00

        Executes session collection in a loop. Will wait 1 minute after each run to continue collection
        and will continue running for 10 minutes after which the script will exit

    .EXAMPLE

        PS C:\> Invoke-BloodHound -CollectionMethods All

        Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
        and then removes the JSON files from disk

    .EXAMPLE

        PS C:\> Invoke-BloodHound -CollectionMethods DCOnly -NoSaveCache -RandomizeFilenames -EncryptZip

        (Opsec!) Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk.
        Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
    #>

    [CmdletBinding(PositionalBinding = $false)]
    param(
        [Alias("c")]
        [String[]]
        $CollectionMethods = [String[]]@('Default'),

        [Alias("d")]
        [String]
        $Domain,
        
        [Alias("s")]
        [Switch]
        $SearchForest,

        [Switch]
        $Stealth,

        [String]
        $LdapFilter,

        [String]
        $DistinguishedName,

        [String]
        $ComputerFile,

        [ValidateScript({ Test-Path -Path $_ })]
        [String]
        $OutputDirectory = $( Get-Location ),

        [ValidateNotNullOrEmpty()]
        [String]
        $OutputPrefix,

        [String]
        $CacheName,

        [Switch]
        $MemCache,

        [Switch]
        $RebuildCache,

        [Switch]
        $RandomFilenames,

        [String]
        $ZipFilename,
        
        [Switch]
        $NoZip,
        
        [String]
        $ZipPassword,
        
        [Switch]
        $TrackComputerCalls,
        
        [Switch]
        $PrettyPrint,

        [String]
        $LdapUsername,

        [String]
        $LdapPassword,

        [string]
        $DomainController,

        [ValidateRange(0, 65535)]
        [Int]
        $LdapPort,

        [Switch]
        $SecureLdap,
        
        [Switch]
        $DisableCertVerification,

        [Switch]
        $DisableSigning,

        [Switch]
        $SkipPortCheck,

        [ValidateRange(50, 5000)]
        [Int]
        $PortCheckTimeout = 500,

        [Switch]
        $SkipPasswordCheck,

        [Switch]
        $ExcludeDCs,

        [Int]
        $Throttle,

        [ValidateRange(0, 100)]
        [Int]
        $Jitter,

        [Int]
        $Threads,

        [Switch]
        $SkipRegistryLoggedOn,

        [String]
        $OverrideUsername,

        [String]
        $RealDNSName,

        [Switch]
        $CollectAllProperties,

        [Switch]
        $Loop,

        [String]
        $LoopDuration,

        [String]
        $LoopInterval,

        [ValidateRange(500, 60000)]
        [Int]
        $StatusInterval,
        
        [Alias("v")]
        [ValidateRange(0, 5)]
        [Int]
        $Verbosity,

        [Alias("h")]
        [Switch]
        $Help,

        [Switch]
        $Version
    )

    $vars = New-Object System.Collections.Generic.List[System.Object]
    
    if(!($PSBoundParameters.ContainsKey("help") -or $PSBoundParameters.ContainsKey("version"))){
        $PSBoundParameters.Keys | % {
            if ($_ -notmatch "verbosity"){
                $vars.add("--$_")
                if($PSBoundParameters.item($_).gettype().name -notmatch "switch"){
                    $vars.add($PSBoundParameters.item($_))
                }
            }
            elseif ($_ -match "verbosity") {
                $vars.add("-v")
                $vars.add($PSBoundParameters.item($_))
            }
        }
    }
    else {
        $PSBoundParameters.Keys |? {$_ -match "help" -or $_ -match "version"}| % {
            $vars.add("--$_")
        }
    }
    
    $passed = [string[]]$vars.ToArray()

    	$EncodedCompressedFile = 'xP0HfBTF+weO7+3d7ZVcQi6X3CUBklASltwlVCEJvQnSq4CUSO8s3NEvFxGQJh1BiqAgUlS6UkVEsdEURBEwUVFQBBSkWJDwm+eZ2ZaEGD//7//348Vld94z+8zM88zzzDNtt91Tizgjx3Em8nv4kOP2cfRfY+7f/00lv4jEAxHcW7aTFfYZ2p6s0HXosEDSGL80xN9vVNKAfqNHS+OS+g9K8o8fnTRsdFLzDl2SRkkDB6WHh9srMxodW3BcW4ORm1Q973WZ7ndcRUOYoTrHDYzmuHiKnZpO7pPkFI3pPU/LDf8E5eFoxOGfkXv6OY6LxP/qVbnQOhC6beDmlWjuTXcxlXwvmnOQy81p0VxGKXii/CPls2qCVhJupQmnjxs0aRy5nh3A6jVQLbeGxNPp/oB/ALnHspEycrHkOjhal64x+Z/uHzRSIgkdrMxIK7dIuqaFi7ljOk0DZeM5M7eogYt7uoWBM5Cw0cAJN/NIttlRpa52vJjGc0Iq56rOc+0YxifdIeRCRJImPkDKZQ8lwq1I2p2dN4qkRgJvFjPgEiDytIu14VasRf6aJDMkCggA1yRAagIfJGlMqRV5YwhvCGCWATMDBBkQGGCRAQsDrDJgZYBNBmwMsMuAnQFhMhDGAIcMOBgQLgPhDIiQgQgGlJGBMgyIlIFIBjhlwMmAKBmIYoBLBlwMiJaBaAbEyEAMA9wy4GaARwY8DIiVgVgGxMlAHAPiZSCeAWVloCwDyslAOQaUl4HyDEiQAbwZ7ifNYoxIRGKfR7huEIks7FMNLC20EdqO6pI2RFBnFCfaoPUkk5gojg+l4DUmVBmvORQWSUovC4lEUnZKowq2b87Ji0Q2QnJaZIroI83bXwVKQCC7nRerkhhBjIBn6vAiaUtCUnwnjstOJc+6qhu5OYyG0W40SUSA9rRwo78GIWASI4GCyf8YUHNijMnfSA74yvEiqYMgETUQfGVEIkh7cpqQ4m9JUtjNPmcu1Nn/BAkJlBIvknIJvih61cdoSkm4lCRzNImxrYIMVGBARRmoyIBKMoA3WbxHbIX65gKSrfkgUUtTms2YwntCcJu65JFiCkTDHVjh1LLVTdwTBrTHTj4IErHzQRBQmODrKXjqfUt4ZxG9JKM0c16kAQJpEBhEQZG0VLtEWqc9PMooeoCDjXh3sh1ly9tCVeBCJWzkRZKjNy8fpBGEiHA+By4FMaSpGvgY9hShQ8L2vFc5OTOaVeLAXk+NFEkjtg9zUCQXaiCRVmy3DrJKpPHaexRTnvq8p6Ty5HcqRWHy41wmPrGAUsHHnSaxPES49LCYgC2X45qUozY0An6EbeXIL47DbtFQh6Y1ikmsMYiyZEUm6qoyUJUCaHJRVgsJDdLCnYFK0KoEHvK2CyA4u89oTDOkGoVgMrZTd4ogFAhElPZAFQAcoH92K5DySoSuPcxb2yKlAqvo86SuXuCeD7gWp8PIJQ2i0skfi1QNEhzNt1t8gkUi3b39m1TOEAk61pxrPIOzc6h3Zk7isH938n7So4yRamKxTCnR3kjPfFIuQ7I7sfIa6C6IevhHyEnCeP90+d5h8fGWVCGtjDXN4SdqPMaIOp8q+MIF1GAjaleqVRvw87xUG/qdx+APadhesAlesRt0Q33lyCeh9ao42IkcaHFoazKgTIFMKI1xwTBPT4c3xWhdhXC4Nc1o85UVbNm2WuEWgkpZIAFbT7uVpLO6q30l+ASRVNubSun4LBbQQW+qQMO13MYFviijm5JLsxo9oJjeVPpMw8SCQG+wdHyoOsgebCAxSOCTgB1tBHa0MUiE2NEmeDWGmuI1JtQMrzk0Gkyul4XEFsCXpwjpx0EGfKglXIyhVgBX5Jm1fIoPEo/KXsYgtgVZE5nZ3QWG1MFyhx/yYe/fHoqQTm0HzxHtA4ET2wGxdiHxQbpJ8NSyc/kWXswmFVHahpPjXcBejitLeP0huYYpz4VZfBEWTz3i9XFue94bYCFiaHae4aEacOWD1UC9FJFKHaAYNSEq8QEm9XbmgxCWOkLDsVJh2dIivVnkYaDh6U9JYcBW9yq7qRXPW0NpmBfS8djz02SajCI2+HW0Pnw05uq2QwX7QAUF0HeoI/i077xD6zhargBS8IUxStWZxkN+qfEBwnf7FKWvdCj8SCyoFcsHgcnI7lphvJtSs3stbmwfRPWD0EBCwBbwrsQB0IyRt6eJrQlHWt3QSPhaEUMOBogPPAlc6w7i5IM94BLsCRwlEvQ6oni32At4R7qv3pCuDySIDvWFizuUDYIWfH28sXwOxIhPA4P5IFCzSf0gEcX7kz8uc5QZSmR3maJM4kDgXxPsF6BEvNMUGoTpB0NTJW0qDDqG8lDC4CB8iM+Ba0EMseBl0Rh3w5TiUHLJynn48GG+wyXwTgELl8+xnIfBs9YoqzgcbixRFnEEzdmj5GwJjVRzJhJ0QM6vYpc0Eh/ic0ZizvXkbgBztoijkFuQnUtwCj6PUxgPtjw5zegUpoijQWMkDb+wQAUxMVB+ZJE0BqxJfpLLBj1GN5q0u1IWp00cC1UpW2ysRfTL/Upt2q90Ib/nyS+fthvws8D1x8a3gNwtM9DhCetvgIhRDACRJUyfxXEg4/FUtScggqo9EXOCdjTFgP0XaUcTsB0l/tOzBbGYXINCY4dNyL5JYOvMeTxIEfgGz3jr8cHJwD+DNAWiiTUPBSGrxH9YijyHNj2jcizvHSQ5GaEc4F6Iwy7dLebKjWoAa6rYuJph40IS1tAzcHGZ+RyoXBRPWmI4SHkb0oRIB5/zjL55TcCUtHk9Ac2rIWleRBK0UM9CoaLoVZpGhfMsCgdyEKfj7QyQoiA+B1J8/H941i3OBM7TgIcGqF0Bqf56l2sIsgRjA30VMKiMIhtiL7x8ECRH7UUCGLAJhaTsDgFziQmxJj4IzEKJ8sHZEI18zpmDgiqIIRbFYBHnQrltgjEE7Pd2LmPgg5AA8bSoMoZCKSMEGk+TV+JpyCg+DxjUV2AsmCcnErBvgzFypLYeRAwFMcSLKmtlrBAXYKmZNDnwoL0sZhGoFL23iIuBbbWi5OAS8jewFDlqCbzAUbMLbY+METCJEZOoIXg+9XEWMpkjTOJKQLK0qVOwzMSIkt5MLnNMTYHacU0VCG9aAW9SSZ8ySZFwsTXRVCWwlsoc5Es6Oi4K8jCaxFdQVtI64HxF4/j2aHbAjxI80noCRouvgggsJLgBGUt6g9eA1IUAyUmY+gS4/BsJkJwLt9ImuA1sxr9bQCavwx/S69qntoZ+qbOxDF/gJkbIIL0JMVuZ7YG6wzSGC8ZSElEn+zjCBgOpCWmJXh8vpLoh6x2M2W1kJ7YN82rbykBbBrSTgXYMaC8D7RnQQQY6MKCjDHRkQCcZ6MSAzjLQmQFdZKALA7rKQFcGdJOBbgx4UgaeZEB3GejOgB4y0IMBPWWgJwOekoGnGNBLBnoxoLcM9GZAHxnow4C+MtCXAdkykM2Ap2XgaQb0k4F+DOgvA/0ZMEAGBjBgoAwMZMAgGRjEgMEyMJgBQ2RgCAOGysBQBgyTgWEMGC4DwxkwQgZGMGCkDIxkwCgZGMWA0TIwmgGSDEgMGCMDYxgwVgbGMsAvA34GBGQgwIBxMjCOAeNlYDwDJsjABAZMlAG8QR9X4MaRfjYaxxNTYLBBzJzXkx7OQkRzvN6yLBAFUfKYyLdG2k1UyOTuanZ3trvDMuYYYBC8yvE50QpefIvEWT3i2+TyGgDh+QkpRv9qMv7xzDcgBet6cQ90KC5T3u8wRG7tMttakK6OO0YHj+AccsQz4YiZxQkW4khy9Tk6mUh0giNNmCOthSOC4WCyk/QP3DTmcBBTyq0hP2JPuO0cnXg+Qn4ZQNzjEjI+AcLk+h65JkaSm71wk0RuoANObExuiHEizgkpGrlfifcGvJ+P95F4TzoLLtYleHOSYP6T3ASSwKEhN8OTpnJ40y+e/OmdxHfCUJckmNgmN62TrgVMcNMk6TKPNxlJ9tNGuKmWBG4SuUlJgiEJuSkP8y9wE5308LYFbsLc5I8Q2Asm3eQ0O4Wnu9oSnbWMZk9ni6dHmEVY
	$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
	$UncompressedFileBytes = New-Object Byte[](1343488)
	$DeflatedStream.Read($UncompressedFileBytes, 0, 1343488) | Out-Null
	$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
	$BindingFlags = [Reflection.BindingFlags] "Public,Static"
	$a = @()
	$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
	$Assembly.GetType("Sharphound.Program").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}