Huge memory usage when -Stealth option is used

[phra]

Hi,

I am running the latest release of Invoke-BloodHound ingestor and I am experiencing a huge memory usage in my test environment.

PS C:\Users\Public\phra> Invoke-BloodHound -CollectionMethod All -Stealth -StatusInterval 60000 -ExcludeDc
Initializing BloodHound at 11:51 on 9-4-2019
Note: All stealth options are single threaded
Note: You specified Stealth and LocalGroup which is equivalent to GPOLocalGroup
Resolved Collection Methods to Group, GPOLocalGroup, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM
Starting Stealth Enumeration for contoso.com
Status: 55 objects enumerated (+55 0,9166667/s --- Using 169 MB RAM )
Status: 55 objects enumerated (+0 0,4365079/s --- Using 280 MB RAM )
Status: 112 objects enumerated (+57 0,6021506/s --- Using 164 MB RAM )
Status: 2374 objects enumerated (+2262 9,650407/s --- Using 361 MB RAM )
Status: 5490 objects enumerated (+3115 17,94118/s --- Using 658 MB RAM )
Status: 8500 objects enumerated (+3010 23,22404/s --- Using 874 MB RAM )
Status: 11050 objects enumerated (+2550 25,93897/s --- Using 1104 MB RAM )
Status: 14000 objects enumerated (+2950 28,80659/s --- Using 1389 MB RAM )
Status: 17302 objects enumerated (+3302 31,68864/s --- Using 1667 MB RAM )
Status: 20733 objects enumerated (+3431 34,21287/s --- Using 1950 MB RAM )
Status: 24226 objects enumerated (+3493 36,37537/s --- Using 2261 MB RAM )
Status: 27710 objects enumerated (+3483 38,16805/s --- Using 2554 MB RAM )
Status: 30661 objects enumerated (+2951 39,00891/s --- Using 2733 MB RAM )
Status: 33259 objects enumerated (+2598 39,31324/s --- Using 2958 MB RAM )
Status: 36000 objects enumerated (+2741 39,7351/s --- Using 3248 MB RAM )
Status: 38706 objects enumerated (+2706 40,06832/s --- Using 3405 MB RAM )
Status: 40568 objects enumerated (+1862 39,53996/s --- Using 3600 MB RAM )
Status: 43144 objects enumerated (+2576 39,72744/s --- Using 3835 MB RAM )
Status: 46205 objects enumerated (+3061 40,3185/s --- Using 4064 MB RAM )
Status: 49500 objects enumerated (+3295 41,04478/s --- Using 4268 MB RAM )
Status: 52307 objects enumerated (+2807 41,31675/s --- Using 4570 MB RAM )
Status: 55437 objects enumerated (+3130 41,80769/s --- Using 4773 MB RAM )
Status: 58375 objects enumerated (+2937 42,1176/s --- Using 4971 MB RAM )
Status: 61177 objects enumerated (+2802 42,30775/s --- Using 5215 MB RAM )
Status: 64167 objects enumerated (+2989 42,60757/s --- Using 5475 MB RAM )
Status: 67000 objects enumerated (+2833 42,78416/s --- Using 5641 MB RAM )
Status: 69500 objects enumerated (+2500 42,71666/s --- Using 5882 MB RAM )
Status: 72389 objects enumerated (+2889 42,9099/s --- Using 6112 MB RAM )
Doing stealth session enumeration
Status: 72806 objects enumerated (+417 42,90277/s --- Using 6168 MB RAM )
Finished stealth enumeration for contoso.com in 00:28:17.3126623
0 hosts failed ping. 0 hosts timedout.

[phra]

FYI, after the ingestor has finished, the PowerShell process it's using ~1.7GB of RAM.

[phra]

After some debugging, I figured out that this issue happens only when -Stealth options is passed to SharpHound. Without that option, everything looks fine:

PS C:\Users\Public\phra> Invoke-BloodHound -CollectionMethod All -StatusInterval 60000
Initializing BloodHound at 13:29 on 9-4-2019
Resolved Collection Methods to Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM
Starting Enumeration for contoso.com
Status: 2848 objects enumerated (+2848 47,46667/s --- Using 187 MB RAM )
Status: 19490 objects enumerated (+16642 162,4167/s --- Using 166 MB RAM )
Status: 36450 objects enumerated (+16960 202,5/s --- Using 201 MB RAM )
Status: 51583 objects enumerated (+15133 214,9292/s --- Using 206 MB RAM )
Status: 69688 objects enumerated (+18100 232,2933/s --- Using 251 MB RAM )
Status: 72851 objects enumerated (+3163 235,7637/s --- Using 158 MB RAM )
Finished enumeration for contoso.com in 00:05:09.2112269

[rvazarkar]

I think I know the root cause of this, but its going to require some work to fix. I'll put it on my todo list