LegacyLapsAudit.psm1
|
<# .SYNOPSIS LAPS Audit & Exposure Detection Tool – scans your environment for misconfigurations, delegated permissions, and attack paths. .DESCRIPTION Invoke-LapsReportsAD is a lightweight and RSAT-free audit tool designed to assess the security posture of your LAPS deployment. It verifies delegated permissions on sensitive LAPS attributes (`ms-Mcs-AdmPwd`, `ms-Mcs-AdmPwdExpirationTime`) across all root Organizational Units (OUs), identifies accounts with read access, and detects exposed attack paths or misconfigurations that could lead to credential compromise. The tool also audits all computers in each OU to detect missing LAPS-managed passwords, helping you ensure coverage and compliance across your machine fleet. .AUTHOR Mehdi Dakhama .CONTRIBUTOR Alain Cuisenier .NOTES Version : 1.0 Requirements : PowerShell 5.1+, Domain-joined machine with LDAP access Dependencies : None (uses pure ADSI – no RSAT / no ActiveDirectory module) .LINK https://github.com/dakhama-mehdi/LAPS-Delegation-Audit #> Function Invoke-Legacylapsreports { [CmdletBinding()] param ( [string]$Oupath, [string]$domainDn = $null, [string]$OutputPath ) $Bannercolor = "Cyan" $MSGcolor = "DarkGreen" function Show-HardenSysvolBanner { param ( [string]$BannerColor ) Write-Host "" Write-Host "╔═════════════════════════════════════════════════════╗" -ForegroundColor $Bannercolor Write-Host "║ Welcome to Legacy Laps Audit v1.0 ║" -ForegroundColor $Bannercolor Write-Host "║ Auditing Legacy Laps Deleguation & ACL ║" -ForegroundColor $Bannercolor Write-Host "║ Developed by HardenAD Community ║" -ForegroundColor $Bannercolor Write-Host "╚═════════════════════════════════════════════════════╝" -ForegroundColor $Bannercolor Write-Host "" } Show-HardenSysvolBanner -BannerColor $Bannercolor # Script start: obtain the current date and time $startDate = Get-Date Start-Sleep -Seconds 2 # Load modules and variables $varsPath = "$PSScriptRoot\variables.ps1" $Modulefunctions = Join-Path -Path $PSScriptRoot -ChildPath "Function.psm1" Import-Module $Modulefunctions -Force # Retrieve LAPS attribute GUIDs from schema $lapsGuids = Get-LapsGuids # Check if the file exists before attempting to load it if (Test-Path $varsPath) { try { # Dot-source the file to import all variable declarations into the current scope .$varsPath } catch { # Catch and throw any error that occurs during import throw "Failed to load variables from '$varsPath': $($_.Exception.Message)" } } else { # Throw a clear error if the file is missing throw "Variables file not found at: $varsPath" } # Domain name resolution if not provided if (-not $domainDn) { try { $domainDn = ([ADSI]"LDAP://RootDSE").defaultNamingContext Write-Host "Domain detected: $domainDn `r`n" -ForegroundColor Green sleep -Seconds 5 } catch { throw "Unable to detect the current domain. Verify that you are connected to an Active Directory domain." } } # Get root OU hierarchy and delegations $rootOUs = Get-RootOrganizationalUnits -DomainDN $domainDn $result = Get-LAPSDelegations -RootOUs $rootOUs -LapsGuids $lapsGuids $OUDelegationsMap = $result.DelegationsMap $OUDelegationsReport = $result.DelegationsReport # Get custom OUPath if (-not $Oupath) { $rootOUs = $OUDelegationsMap.Keys.Clone() } else { $rootOUs = $Oupath } # Default group to skiped # Well-known SIDs to always skip (translated to localized NTAccount names) $SkipSidList = @( 'S-1-5-32-544' # Administrators 'S-1-5-10', # SELF 'S-1-5-18' # SYSTEM 'S-1-5-11', # Authenticated Users 'S-1-1-0', # Everyone 'S-1-5-9' # DC ) $SkipAccounts = foreach ($sid in $SkipSidList) { try { (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value } catch { # If translation fails, skip continue } } # Scan OU foreach ($ouDN in $rootOUs) { Write-Host "Scan $ouDN" -ForegroundColor Yellow $delegatedAccounts = $OUDelegationsMap[$ouDN] $effectiveDelegatedAccounts = @($delegatedAccounts.Clone()) $effectiveDelegatedAccounts += @($SkipAccounts) # Get all computers from OU enabled with passwords laps $Haslaps = @(Get-ADSIComputers -SearchBaseDN $ouDN) $Configmachines += ($Haslaps).count # Counts nbrs of computer on OU $nbrallcomputers += Get-ADSIComputerCount -SearchBaseDN $ouDN foreach ($comp in $Haslaps) { $compDN = $comp.DistinguishedName $compName = $comp.Name try { $entry = [ADSI]"LDAP://$compDN" $acl = $entry.psbase.ObjectSecurity } catch { Write-Warning "Canot read ACL from computer $compDN" } # For each monitored LAPS attribute (ReadPassword, WritePassword, ExpiredTime) foreach ($guid in $lapsGuids.Keys) { $aceList = $acl.Access | Where-Object { $_.AccessControlType -eq 'Allow' -and $_.IsInherited -eq $false -and ( # Case 1: ACE explicitly targeting the LAPS attribute ($_.ObjectType.Guid -eq $guid -and $_.ActiveDirectoryRights -match 'ReadProperty|ExtendedRight|ControlAccess|WriteProperty') -or # Case 2: Global ACE (no ObjectType specified) ($_.ObjectType.Guid -eq [guid]::Empty -and $_.ActiveDirectoryRights -match 'GenericAll|ExtendedRight') ) } foreach ($entry in $aceList) { $account = try { ($entry.IdentityReference.Translate([System.Security.Principal.NTAccount])).Value } catch { $entry.IdentityReference.Value } # Skip if account is delegate in OU parent if ($effectiveDelegatedAccounts -contains $account) { continue } # Skip default SID if ($KnownSIDs -contains $account) { continue } # Then, check deleguation parent OU $realOU = $compDN -replace '^CN=[^,]+,', '' $isDelegatedInParent = Get-AccountDelegatedInParentOU -startingOU $realOU -accountToCheck $account -delegationMap $OUDelegationsMap -aclCache $OUACLCache if ($isDelegatedInParent) { # Store in memory to skip redundant checks later $effectiveDelegatedAccounts += $account } else { # Detected anomaly: account is not delegated on the OU or any parent OU $Anomalies += [PSCustomObject]@{ Computer = $compName UnexpectedAccount = $account Attribut = if ($entry.ObjectType.Guid -ne $guid) { "Generic All" } else { $lapsGuids[$guid] } # ex: ms-Mcs-AdmPwd Permission = ($entry.ActiveDirectoryRights -join ', ') OU = $realOU } } } } } } $Allaccountsdelegate = $OUDelegationsMap.Values | ForEach-Object { $_ } | Select-Object -Unique $RootOUDelegationReports = $OUDelegationsReport | Group-Object OU, Account | ForEach-Object { # Récupérer les permissions distinctes $rawPermissions = $_.Group | Select-Object -ExpandProperty Permission | Sort-Object -Unique # Transformation logique if ($rawPermissions -match 'GenericAll') { $finalPermission = 'FC' } elseif ($rawPermissions -match 'GenericWrite') { $finalPermission = 'WriteALL' } else { $finalPermission = ($rawPermissions -join ', ') } # Création de l'objet final [PSCustomObject]@{ OU = $_.Group[0].OU Account = $_.Group[0].Account Attribut = ($_.Group | Select-Object -ExpandProperty Attribut | Sort-Object -Unique) -join "`n" Permission = $finalPermission } } # Suspicious delegation $GroupedAnomalies = $Anomalies | Group-Object Computer, UnexpectedAccount, OU | ForEach-Object { $allPermissions = ($_.Group | Select-Object -ExpandProperty Permission) -join ', ' if ($allPermissions -match 'GenericAll') { $finalPermission = 'FC' } elseif ($allPermissions -match 'GenericWrite') { $finalPermission = 'WriteALL' } else { $finalPermission = ($_.Group | Select-Object -ExpandProperty Permission | Sort-Object -Unique) -join ', ' } if ($finalPermission -match 'ExtendedRight|FC') { $risk = 'Excessive privilege' } else { $risk = 'Misconfiguration' } # Objet final [PSCustomObject]@{ Computer = $_.Group[0].Computer UnexpectedAccount = $_.Group[0].UnexpectedAccount OU = $_.Group[0].OU Attribut = ($_.Group | Select-Object -ExpandProperty Attribut | Sort-Object -Unique) -join "`n" Permission = $finalPermission risk = $risk } } $nbremptycomputers = $nbrallcomputers - $Configmachines $date = (Get-Date) $domainname = (($domainDn -replace '^DC=', '') -replace ',DC=', '.' ) $Scope = if ($Oupath) { $Oupath } else { "All domain" } Write-Host "`r" Write-Host "Suspicious ACL" -ForegroundColor Green $GroupedAnomalies | FT $DeleguateAccounts = @() $Allaccountsdelegate | Where-Object { $_ -notin $SkipAccounts } | ForEach-Object { $DeleguateAccounts += Get-ADSIObjectInfo $_ } $LapsOUDelegations = @() foreach ($ouDN in $OUACLCache.Keys) { $acl = $OUACLCache[$ouDN] $lapsACEs = $acl.Access | Where-Object { $_.ObjectType.Guid -eq $lapsGuids.Keys -and $_.AccessControlType -eq 'Allow' -and $_.ActiveDirectoryRights -match 'ReadProperty|ExtendedRight|ControlAccess|WriteProperty' } foreach ($ace in $lapsACEs) { $account = try { $ace.IdentityReference.Translate([System.Security.Principal.NTAccount]) } catch { $ace.IdentityReference } # Exclusion de SELF if ($account -like "*\SELF") { continue } $LapsOUDelegations += [PSCustomObject]@{ OU = $ouDN Account = $account.ToString() Rights = $ace.ActiveDirectoryRights -join ', ' Attribute = 'ms-Mcs-AdmPwd' Inherited = $ace.IsInherited } } } #$LapsOUDelegations | Out-GridView # Default Path %LOCALAPPDATA%\Temp $date1 = Get-Date -Format "MMddyy_HHmmss" if (-not $OutputPath) { $OutputPath = Join-Path $env:TEMP "Legacylapsreports_$date1.html" } else { $OutputPath = $OutputPath + "\Legacylapsreports_$date1.html" } # End of the script: obtain the current date and time $endDate = Get-Date # Calculate the time difference $elapsedTime = New-TimeSpan -Start $startDate -End $endDate $elapsedTime = $($elapsedTime.ToString("hh\:mm\:ss")) Write-Host "Scanne $nbrallcomputers computers empty passwords $nbremptycomputers computers not config Elapsed : $elapsedTime Suspicious permissions $($Anomalies.count)" -ForegroundColor Cyan sleep -Seconds 2 Export-LapsHtmlReport ` -TotalScanned $nbrallcomputers ` -EmptyPasswords $nbremptycomputers ` -SuspiciousDelegations $($GroupedAnomalies.count) ` -Haspassword $Configmachines ` -Date $date ` -Domain $domainname ` -Scope $Scope ` -EmptyComputersTable $RootOUDelegationReports ` -DelegationsTable $GroupedAnomalies ` -AllDelegatedAccounts $DeleguateAccounts ` -AlldelegationOU $LapsOUDelegations ` -OutputPath $OutputPath } # SIG # Begin signature block # MIItjQYJKoZIhvcNAQcCoIItfjCCLXoCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDj5uwwbTf0TSoW # pSD0hJACxXhsMOi/GMyOgA7rAbnyEqCCEtUwggXJMIIEsaADAgECAhAbtY8lKt8j # AEkoya49fu0nMA0GCSqGSIb3DQEBDAUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQK # ExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy # dGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5l # dHdvcmsgQ0EwHhcNMjEwNTMxMDY0MzA2WhcNMjkwOTE3MDY0MzA2WjCBgDELMAkG # A1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMuQS4xJzAl # BgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIGA1UEAxMb # Q2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOC # Ag8AMIICCgKCAgEAvfl4+ObVgAxknYYblmRnPyI6HnUBfe/7XGeMycxca6mR5rlC # 5SBLm9qbe7mZXdmbgEvXhEArJ9PoujC7Pgkap0mV7ytAJMKXx6fumyXvqAoAl4Va # qp3cKcniNQfrcE1K1sGzVrihQTib0fsxf4/gX+GxPw+OFklg1waNGPmqJhCrKtPQ # 0WeNG0a+RzDVLnLRxWPa52N5RH5LYySJhi40PylMUosqp8DikSiJucBb+R3Z5yet # /5oCl8HGUJKbAiy9qbk0WQq/hEr/3/6zn+vZnuCYI+yma3cWKtvMrTscpIfcRnNe # GWJoRVfkkIJCu0LW8GHgwaM9ZqNd9BjuiMmNF0UpmTJ1AjHuKSbIawLmtWJFfzcV # WiNoidQ+3k4nsPBADLxNF8tNorMe0AZa3faTz1d1mfX6hhpneLO/lv403L3nUlbl # s+V1e9dBkQXcXWnjlQ1DufyDljmVe2yAWk8TcsbXfSl6RLpSpCrVQUYJIP4ioLZb # MI28iQzV13D4h1L92u+sUS4Hs07+0AnacO+Y+lbmbdu1V0vc5SwlFcieLnhO+Nqc # noYsylfzGuXIkosagpZ6w7xQEmnYDlpGizrrJvojybawgb5CAKT41v4wLsfSRvbl # jnX98sy50IdbzAYQYLuDNbdeZ95H7JlI8aShFf6tjGKOOVVPORa5sWOd/7cCAwEA # AaOCAT4wggE6MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLahVDkCw6A/joq8 # +tT4HKbROg79MB8GA1UdIwQYMBaAFAh2zcsH/yT2xc3tu5C84oQ3RnX3MA4GA1Ud # DwEB/wQEAwIBBjAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8vY3JsLmNlcnR1bS5w # bC9jdG5jYS5jcmwwawYIKwYBBQUHAQEEXzBdMCgGCCsGAQUFBzABhhxodHRwOi8v # c3ViY2Eub2NzcC1jZXJ0dW0uY29tMDEGCCsGAQUFBzAChiVodHRwOi8vcmVwb3Np # dG9yeS5jZXJ0dW0ucGwvY3RuY2EuY2VyMDkGA1UdIAQyMDAwLgYEVR0gADAmMCQG # CCsGAQUFBwIBFhhodHRwOi8vd3d3LmNlcnR1bS5wbC9DUFMwDQYJKoZIhvcNAQEM # BQADggEBAFHCoVgWIhCL/IYx1MIy01z4S6Ivaj5N+KsIHu3V6PrnCA3st8YeDrJ1 # BXqxC/rXdGoABh+kzqrya33YEcARCNQOTWHFOqj6seHjmOriY/1B9ZN9DbxdkjuR # mmW60F9MvkyNaAMQFtXx0ASKhTP5N+dbLiZpQjy6zbzUeulNndrnQ/tjUoCFBMQl # lVXwfqefAcVbKPjgzoZwpic7Ofs4LphTZSJ1Ldf23SIikZbr3WjtP6MZl9M7JYjs # NhI9qX7OAo0FmpKnJ25FspxihjcNpDOO16hO0EoXQ0zF8ads0h5YbBRRfopUofbv # n3l6XYGaFpAP4bvxSgD5+d2+7arszgowggZHMIIEL6ADAgECAhA12OBytW+cTayv # VHUpRhwLMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhB # c3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xJDAiBgNVBAMTG0NlcnR1bSBDb2RlIFNp # Z25pbmcgMjAyMSBDQTAeFw0yNTExMTYxMTAwMTlaFw0yNjExMTYxMTAwMThaMG0x # CzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZUb3Vsb24xHjAcBgNVBAoMFU9wZW4gU291 # cmNlIERldmVsb3BlcjEtMCsGA1UEAwwkT3BlbiBTb3VyY2UgRGV2ZWxvcGVyLCBE # QUtIQU1BIE1FSERJMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAp6Ku # m/VmkWCqAaF/3zHh9f1FuJYY2ozbXOu7mo1/Q8i1c0fE0TXpkZXLY2GZbfpj9BmH # AAFM0IhOsPR2vdxq3jOUJUb9TICneFor6YaPpySsXR3WSE7X42kgpkkmPELovm1Y # hwSzhJ4a+E+NWL/MU8h5JpmGVlqPJ02/ZTlMj5kcpIQtq8hoQMcUEDkGFt9IcamE # 1yN4IHkBA5nm4jJPaos0IuS77t805992JSGWhxBxWARH+2vyltv8Rmq1pZV1lE6n # JgrWT7Ichjw2X/A+OP68ooTzQwCIpzXb4UuUcwHEfrmP3HGMQJoj//SNC4QPMao+ # 3Z8zbevl73E3d6Kfvra1S+pWM2Ze5YCsIqAd98GUHgi5E6GiG8FQq/+d6msL7l8B # UASCqXlcAKIjRNMHp8BrUaaW6HS9Kpc+3O3t/LUmK6X3FFiW8QsWoh4K+7YSpopa # CQbNXmEI4xftctwBOJrEU2oqRnYiwchfjqBNlrGwVGPK1rmM0iTt5KiLTus7AgMB # AAGjggF4MIIBdDAMBgNVHRMBAf8EAjAAMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6 # Ly9jY3NjYTIwMjEuY3JsLmNlcnR1bS5wbC9jY3NjYTIwMjEuY3JsMHMGCCsGAQUF # BwEBBGcwZTAsBggrBgEFBQcwAYYgaHR0cDovL2Njc2NhMjAyMS5vY3NwLWNlcnR1 # bS5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9yZXBvc2l0b3J5LmNlcnR1bS5wbC9j # Y3NjYTIwMjEuY2VyMB8GA1UdIwQYMBaAFN10XUwA23ufoHTKsW73PMAywHDNMB0G # A1UdDgQWBBSXTmfHi9BD9GDRwk5/doNtKHBXYzBLBgNVHSAERDBCMAgGBmeBDAEE # ATA2BgsqhGgBhvZ3AgUBBDAnMCUGCCsGAQUFBwIBFhlodHRwczovL3d3dy5jZXJ0 # dW0ucGwvQ1BTMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA4GA1UdDwEB/wQEAwIHgDAN # BgkqhkiG9w0BAQsFAAOCAgEAe+khGqwUUkFYuFRsrvenX2/a+PIt2Tu9d3VoW6Or # MX3YLpe7S2CgFkXwEi2Siq5KiD1labP9jsh/3G1ZQwwlnPv8dB7ocl/nOrQ9OZex # GVE1r7IO6VYVa5F7XuJ/KadKLEbQSs1BpBVhESo1ZYr6w9NCLuO9q2Sh3H5MktET # D6sB+g1TFOYMdwYl8eAawgI2kGPe3dRQSoumP0mHkm3x5SIwRCW+08md5uyzCIui # 85WmcNPtM1QCqjkSpfdFGYPsnf/BO9NATpZkqFxhXwa9+PqseX+mofCIL49guCXG # kU4RpeRHcUie14oYkxvBw7VUO4MT6wYbS2C3j2nyoAV4XqqNMfrhZIBJG5haj2RB # V46bMJ+DsW6hxlm3lIlCaJT2pLbbk79OP+Bk0HIdC9mAbKzcqaZpBpn4+ljrcx7/ # X7OHv4XTCCDWwlZbaogy4Wci6TiSjjfpfXK5N/eJTEEh2w4qoYTTrR61ptkVnTUT # vGRfPnVtS/3aOm2v4UahtOc/ygcL0A/J85r1e6CEeOaTm9eJbHoNdwNIYaZ81VlX # /V/MoJgFCtioYOKiTf2Rdq7XrEEHLU2YGwCqJyKYz9tz10yXBcMW6/+gX+PGqAYz # eKg5jbKLdi9lVrKspQUXAPHdcl6VJMXy799J0lbsQeJNgBVy6HWxOWvdLBGX3hPE # 3aYwgga5MIIEoaADAgECAhEAmaOACiZVO2Wr3G6EprPqOTANBgkqhkiG9w0BAQwF # ADCBgDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVz # IFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEk # MCIGA1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMB4XDTIxMDUxOTA1 # MzIxOFoXDTM2MDUxODA1MzIxOFowVjELMAkGA1UEBhMCUEwxITAfBgNVBAoTGEFz # c2VjbyBEYXRhIFN5c3RlbXMgUy5BLjEkMCIGA1UEAxMbQ2VydHVtIENvZGUgU2ln # bmluZyAyMDIxIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnSPP # BDAjO8FGLOczcz5jXXp1ur5cTbq96y34vuTmflN4mSAfgLKTvggv24/rWiVGzGxT # 9YEASVMw1Aj8ewTS4IndU8s7VS5+djSoMcbvIKck6+hI1shsylP4JyLvmxwLHtSw # orV9wmjhNd627h27a8RdrT1PH9ud0IF+njvMk2xqbNTIPsnWtw3E7DmDoUmDQiYi # /ucJ42fcHqBkbbxYDB7SYOouu9Tj1yHIohzuC8KNqfcYf7Z4/iZgkBJ+UFNDcc6z # okZ2uJIxWgPWXMEmhu1gMXgv8aGUsRdaCtVD2bSlbfsq7BiqljjaCun+RJgTgFRC # tsuAEw0pG9+FA+yQN9n/kZtMLK+Wo837Q4QOZgYqVWQ4x6cM7/G0yswg1ElLlJj6 # NYKLw9EcBXE7TF3HybZtYvj9lDV2nT8mFSkcSkAExzd4prHwYjUXTeZIlVXqj+ea # YqoMTpMrfh5MCAOIG5knN4Q/JHuurfTI5XDYO962WZayx7ACFf5ydJpoEowSP07Y # aBiQ8nXpDkNrUA9g7qf/rCkKbWpQ5boufUnq1UiYPIAHlezf4muJqxqIns/kqld6 # JVX8cixbd6PzkDpwZo4SlADaCi2JSplKShBSND36E/ENVv8urPS0yOnpG4tIoBGx # VCARPCg1BnyMJ4rBJAcOSnAWd18Jx5n858JSqPECAwEAAaOCAVUwggFRMA8GA1Ud # EwEB/wQFMAMBAf8wHQYDVR0OBBYEFN10XUwA23ufoHTKsW73PMAywHDNMB8GA1Ud # IwQYMBaAFLahVDkCw6A/joq8+tT4HKbROg79MA4GA1UdDwEB/wQEAwIBBjATBgNV # HSUEDDAKBggrBgEFBQcDAzAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vY3JsLmNl # cnR1bS5wbC9jdG5jYTIuY3JsMGwGCCsGAQUFBwEBBGAwXjAoBggrBgEFBQcwAYYc # aHR0cDovL3N1YmNhLm9jc3AtY2VydHVtLmNvbTAyBggrBgEFBQcwAoYmaHR0cDov # L3JlcG9zaXRvcnkuY2VydHVtLnBsL2N0bmNhMi5jZXIwOQYDVR0gBDIwMDAuBgRV # HSAAMCYwJAYIKwYBBQUHAgEWGGh0dHA6Ly93d3cuY2VydHVtLnBsL0NQUzANBgkq # hkiG9w0BAQwFAAOCAgEAdYhYD+WPUCiaU58Q7EP89DttyZqGYn2XRDhJkL6P+/T0 # IPZyxfxiXumYlARMgwRzLRUStJl490L94C9LGF3vjzzH8Jq3iR74BRlkO18J3zId # mCKQa5LyZ48IfICJTZVJeChDUyuQy6rGDxLUUAsO0eqeLNhLVsgw6/zOfImNlARK # n1FP7o0fTbj8ipNGxHBIutiRsWrhWM2f8pXdd3x2mbJCKKtl2s42g9KUJHEIiLni # 9ByoqIUul4GblLQigO0ugh7bWRLDm0CdY9rNLqyA3ahe8WlxVWkxyrQLjH8ItI17 # RdySaYayX3PhRSC4Am1/7mATwZWwSD+B7eMcZNhpn8zJ+6MTyE6YoEBSRVrs0zFF # IHUR08Wk0ikSf+lIe5Iv6RY3/bFAEloMU+vUBfSouCReZwSLo8WdrDlPXtR0gicD # nytO7eZ5827NS2x7gCBibESYkOh1/w1tVxTpV2Na3PR7nxYVlPu1JPoRZCbH86gc # 96UTvuWiOruWmyOEMLOGGniR+x+zPF/2DaGgK2W1eEJfo2qyrBNPvF7wuAyQfiFX # LwvWHamoYtPZo0LHuH8X3n9C+xN4YaNjt2ywzOr+tKyEVAotnyU9vyEVOaIYMk3I # eBrmFnn0gbKeTTyYeEEUz/Qwt4HOUBCrW602NCmvO1nm+/80nLy5r0AZvCQxaQ4x # ghoOMIIaCgIBATBqMFYxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28gRGF0 # YSBTeXN0ZW1zIFMuQS4xJDAiBgNVBAMTG0NlcnR1bSBDb2RlIFNpZ25pbmcgMjAy # MSBDQQIQNdjgcrVvnE2sr1R1KUYcCzANBglghkgBZQMEAgEFAKB8MBAGCisGAQQB # gjcCAQwxAjAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcC # AQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDSU9T50njmumI1k369 # LXZS5HHDIxNRMZbPtmNTH9+EsTANBgkqhkiG9w0BAQEFAASCAYCj1bkpTN82HgCU # sHYBV5mBsSrvkYAPUvrJt7BgwZkM+UxSJfIH5tx3F0TWpZ4Z26/ro9n3Ms4d54pt # ZR739K9ph65k3dGIOyQemaiJVj695ZO8cgp5IBJ51kVexrr4bmRcoXRS7r5NDZUf # 2jMyzBdjUBxGNu6ieFImyIO0VDs6OEUuVWXISxSd+NAIBiHHd+FKGReBs1HoWpEJ # LCcMLdo0dhAdjZAKx6vKrwiiQ7NjcoIQzOS1+I6mj9oa1cn2W7k4rTZ2GvwuGVVK # WDLLVIDYY5iKQHFMymF88zcx9T9p4gjbXN1inHhIZ4oS95aSD6Vll3yXWvE/6pGM # rd16b24z3pv6dPYmG1hNR62wQe8HVUibsZtRTvUI/RcQU/jGJB6docURkkOTvYkH # uBhCKNkH0anBtif+MKLOSggN3qRzJZjFNJvIOavCQ8cRXBgKmdZhse7fQB5hlaRm # viliEVqnABI0q9mIw2yowFQjr6Ymlp4MhVtJD5kamXfmXIfTsP2hghd3MIIXcwYK # KwYBBAGCNwMDATGCF2MwghdfBgkqhkiG9w0BBwKgghdQMIIXTAIBAzEPMA0GCWCG # SAFlAwQCAQUAMHgGCyqGSIb3DQEJEAEEoGkEZzBlAgEBBglghkgBhv1sBwEwMTAN # BglghkgBZQMEAgEFAAQgGnClNZtLaX7Ca0SBZ3RJBcqp2dXCaoA4QMbrPIC6eVcC # EQDl7xhEYrlGsLL1OJ274+ynGA8yMDI2MDEzMDIyMzMyNVqgghM6MIIG7TCCBNWg # AwIBAgIQCoDvGEuN8QWC0cR2p5V0aDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQG # EwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0 # IFRydXN0ZWQgRzQgVGltZVN0YW1waW5nIFJTQTQwOTYgU0hBMjU2IDIwMjUgQ0Ex # MB4XDTI1MDYwNDAwMDAwMFoXDTM2MDkwMzIzNTk1OVowYzELMAkGA1UEBhMCVVMx # FzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBTSEEy # NTYgUlNBNDA5NiBUaW1lc3RhbXAgUmVzcG9uZGVyIDIwMjUgMTCCAiIwDQYJKoZI # hvcNAQEBBQADggIPADCCAgoCggIBANBGrC0Sxp7Q6q5gVrMrV7pvUf+GcAoB38o3 # zBlCMGMyqJnfFNZx+wvA69HFTBdwbHwBSOeLpvPnZ8ZN+vo8dE2/pPvOx/Vj8Tch # TySA2R4QKpVD7dvNZh6wW2R6kSu9RJt/4QhguSssp3qome7MrxVyfQO9sMx6ZAWj # FDYOzDi8SOhPUWlLnh00Cll8pjrUcCV3K3E0zz09ldQ//nBZZREr4h/GI6Dxb2Uo # yrN0ijtUDVHRXdmncOOMA3CoB/iUSROUINDT98oksouTMYFOnHoRh6+86Ltc5zjP # KHW5KqCvpSduSwhwUmotuQhcg9tw2YD3w6ySSSu+3qU8DD+nigNJFmt6LAHvH3KS # uNLoZLc1Hf2JNMVL4Q1OpbybpMe46YceNA0LfNsnqcnpJeItK/DhKbPxTTuGoX7w # JNdoRORVbPR1VVnDuSeHVZlc4seAO+6d2sC26/PQPdP51ho1zBp+xUIZkpSFA8vW # doUoHLWnqWU3dCCyFG1roSrgHjSHlq8xymLnjCbSLZ49kPmk8iyyizNDIXj//cOg # rY7rlRyTlaCCfw7aSUROwnu7zER6EaJ+AliL7ojTdS5PWPsWeupWs7NpChUk555K # 096V1hE0yZIXe+giAwW00aHzrDchIc2bQhpp0IoKRR7YufAkprxMiXAJQ1XCmnCf # gPf8+3mnAgMBAAGjggGVMIIBkTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTkO/zy # Me39/dfzkXFjGVBDz2GM6DAfBgNVHSMEGDAWgBTvb1NK6eQGfHrK4pBW9i/USezL # TjAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwgZUGCCsG # AQUFBwEBBIGIMIGFMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j # b20wXQYIKwYBBQUHMAKGUWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp # Q2VydFRydXN0ZWRHNFRpbWVTdGFtcGluZ1JTQTQwOTZTSEEyNTYyMDI1Q0ExLmNy # dDBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGln # aUNlcnRUcnVzdGVkRzRUaW1lU3RhbXBpbmdSU0E0MDk2U0hBMjU2MjAyNUNBMS5j # cmwwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMA0GCSqGSIb3DQEB # CwUAA4ICAQBlKq3xHCcEua5gQezRCESeY0ByIfjk9iJP2zWLpQq1b4URGnwWBdEZ # D9gBq9fNaNmFj6Eh8/YmRDfxT7C0k8FUFqNh+tshgb4O6Lgjg8K8elC4+oWCqnU/ # ML9lFfim8/9yJmZSe2F8AQ/UdKFOtj7YMTmqPO9mzskgiC3QYIUP2S3HQvHG1FDu # +WUqW4daIqToXFE/JQ/EABgfZXLWU0ziTN6R3ygQBHMUBaB5bdrPbF6MRYs03h4o # bEMnxYOX8VBRKe1uNnzQVTeLni2nHkX/QqvXnNb+YkDFkxUGtMTaiLR9wjxUxu2h # ECZpqyU1d0IbX6Wq8/gVutDojBIFeRlqAcuEVT0cKsb+zJNEsuEB7O7/cuvTQasn # M9AWcIQfVjnzrvwiCZ85EE8LUkqRhoS3Y50OHgaY7T/lwd6UArb+BOVAkg2oOvol # /DJgddJ35XTxfUlQ+8Hggt8l2Yv7roancJIFcbojBcxlRcGG0LIhp6GvReQGgMgY # xQbV1S3CrWqZzBt1R9xJgKf47CdxVRd/ndUlQ05oxYy2zRWVFjF7mcr4C34Mj3oc # CVccAvlKV9jEnstrniLvUxxVZE/rptb7IRE2lskKPIJgbaP5t2nGj/ULLi49xTcB # ZU8atufk+EMF/cWuiC7POGT75qaL6vdCvHlshtjdNXOCIUjsarfNZzCCBrQwggSc # oAMCAQICEA3HrFcF/yGZLkBDIgw6SYYwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj # ZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTI1 # MDUwNzAwMDAwMFoXDTM4MDExNDIzNTk1OVowaTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IFRpbWVTdGFtcGluZyBSU0E0MDk2IFNIQTI1NiAyMDI1IENBMTCCAiIwDQYJKoZI # hvcNAQEBBQADggIPADCCAgoCggIBALR4MdMKmEFyvjxGwBysddujRmh0tFEXnU2t # jQ2UtZmWgyxU7UNqEY81FzJsQqr5G7A6c+Gh/qm8Xi4aPCOo2N8S9SLrC6Kbltqn # 7SWCWgzbNfiR+2fkHUiljNOqnIVD/gG3SYDEAd4dg2dDGpeZGKe+42DFUF0mR/vt # La4+gKPsYfwEu7EEbkC9+0F2w4QJLVSTEG8yAR2CQWIM1iI5PHg62IVwxKSpO0Xa # F9DPfNBKS7Zazch8NF5vp7eaZ2CVNxpqumzTCNSOxm+SAWSuIr21Qomb+zzQWKhx # KTVVgtmUPAW35xUUFREmDrMxSNlr/NsJyUXzdtFUUt4aS4CEeIY8y9IaaGBpPNXK # FifinT7zL2gdFpBP9qh8SdLnEut/GcalNeJQ55IuwnKCgs+nrpuQNfVmUB5KlCX3 # ZA4x5HHKS+rqBvKWxdCyQEEGcbLe1b8Aw4wJkhU1JrPsFfxW1gaou30yZ46t4Y9F # 20HHfIY4/6vHespYMQmUiote8ladjS/nJ0+k6MvqzfpzPDOy5y6gqztiT96Fv/9b # H7mQyogxG9QEPHrPV6/7umw052AkyiLA6tQbZl1KhBtTasySkuJDpsZGKdlsjg4u # 70EwgWbVRSX1Wd4+zoFpp4Ra+MlKM2baoD6x0VR4RjSpWM8o5a6D8bpfm4CLKczs # G7ZrIGNTAgMBAAGjggFdMIIBWTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW # BBTvb1NK6eQGfHrK4pBW9i/USezLTjAfBgNVHSMEGDAWgBTs1+OC0nFdZEzfLmc/ # 57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwdwYI # KwYBBQUHAQEEazBpMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j # b20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp # Q2VydFRydXN0ZWRSb290RzQuY3J0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j # cmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3JsMCAGA1Ud # IAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATANBgkqhkiG9w0BAQsFAAOCAgEA # F877FoAc/gc9EXZxML2+C8i1NKZ/zdCHxYgaMH9Pw5tcBnPw6O6FTGNpoV2V4wzS # UGvI9NAzaoQk97frPBtIj+ZLzdp+yXdhOP4hCFATuNT+ReOPK0mCefSG+tXqGpYZ # 3essBS3q8nL2UwM+NMvEuBd/2vmdYxDCvwzJv2sRUoKEfJ+nN57mQfQXwcAEGCvR # R2qKtntujB71WPYAgwPyWLKu6RnaID/B0ba2H3LUiwDRAXx1Neq9ydOal95CHfmT # nM4I+ZI2rVQfjXQA1WSjjf4J2a7jLzWGNqNX+DF0SQzHU0pTi4dBwp9nEC8EAqox # W6q17r0z0noDjs6+BFo+z7bKSBwZXTRNivYuve3L2oiKNqetRHdqfMTCW/NmKLJ9 # M+MtucVGyOxiDf06VXxyKkOirv6o02OoXN4bFzK0vlNMsvhlqgF2puE6FndlENSm # E+9JGYxOGLS/D284NHNboDGcmWXfwXRy4kbu4QFhOm0xJuF2EZAOk5eCkhSxZON3 # rGlHqhpB/8MluDezooIs8CVnrpHMiD2wL40mm53+/j7tFaxYKIqL0Q4ssd8xHZnI # n/7GELH3IdvG2XlM9q7WP/UwgOkw/HQtyRN62JK4S1C8uw3PdBunvAZapsiI5YKd # vlarEvf8EA+8hcpSM9LHJmyrxaFtoza2zNaQ9k+5t1wwggWNMIIEdaADAgECAhAO # mxiO+dAt5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUw # EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x # JDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEw # MDAwMDBaFw0zMTExMDkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxE # aWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMT # GERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIP # ADCCAgoCggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprN # rnsbhA3EMB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVy # r2iTcMKyunWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4 # IWGbNOsFxl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13j # rclPXuU15zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4Q # kXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQn # vKFPObURWBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu # 5tTvkpI6nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/ # 8tWMcCxBYKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQp # JYls5Q5SUUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFf # xCBRa2+xq4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGj # ggE6MIIBNjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/ # 57qYrhwPTzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAOBgNVHQ8B # Af8EBAMCAYYweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz # cC5kaWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2lj # ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6 # oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElE # Um9vdENBLmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQEMBQADggEB # AHCgv0NcVec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0a # FPQTSnovLbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNE # m0Mh65ZyoUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZq # aVSwuKFWjuyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCs # WKAOQGPFmCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9Fc # rBjDTZ9ztwGpn1eqXijiuZQxggN8MIIDeAIBATB9MGkxCzAJBgNVBAYTAlVTMRcw # FQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3Rl # ZCBHNCBUaW1lU3RhbXBpbmcgUlNBNDA5NiBTSEEyNTYgMjAyNSBDQTECEAqA7xhL # jfEFgtHEdqeVdGgwDQYJYIZIAWUDBAIBBQCggdEwGgYJKoZIhvcNAQkDMQ0GCyqG # SIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNjAxMzAyMjMzMjVaMCsGCyqGSIb3 # DQEJEAIMMRwwGjAYMBYEFN1iMKyGCi0wa9o4sWh5UjAH+0F+MC8GCSqGSIb3DQEJ # BDEiBCBlKmX6oW2hij88OnufJQW562pal85K4wg2YQOtuHgQ1TA3BgsqhkiG9w0B # CRACLzEoMCYwJDAiBCBKoD+iLNdchMVck4+CjmdrnK7Ksz/jbSaaozTxRhEKMzAN # BgkqhkiG9w0BAQEFAASCAgCxFZgGMpW03zwfDyEResvw901I7GFW3D3S0o/PHw2F # LHcEuRUqoPOrKc6ZbbLJbbDvpB1syAASoi3ro93ZcoBGut2+HiZTb9OOHLSaC0az # VF1WRTZ5V5mnOBBdiHopTXK8c/bzaJo78FQJ0YmJkLUx2kuAXEPr2CN8iji2HkI3 # ilbvft5Y5e8Et4194423WyJv6ICAGVXH0U1OcIfpy2iy0hs2D2t8bUzlsw/59i/E # Nw64I8jIScU+l2EZw9On2YbvYaCoVqsAVf3scvn80z8lP3frQlUG3XPyNQNR4Ez1 # 5BHrjVcUce1hZ7Sr/uxKJCOXlqIM/RGrCadKHlZMKEIOvo1IvbVRKGWejX0bzPkO # 2m2h3LxMAfEJz+Afqn/mldWwmYOEjieBe5jVrUSSrul+pf5cxJ8Z1kUXrYnXVBz7 # hf0SlqSBMvsTSKsX4pNZiyGcA6Bo7DF8DFl9pF/tRpy95USobkoWE25quQmTXrub # hvys76/LTCxE7C/0vsaVFV0DevY3HZ5EbB3BVr1OQdeqyRMvkjdLiSD1g6C3nUWW # mIi0bdJWNrHpA3o2yBq8lXk6Dzxlih1Xv1XRevunCCznYDwbpoyrYnd2ze+4DWTw # 9UIcCAYqNK4HOglnJFtybTB3S3ZpXIqprgKJq2j7gIHO1BUdDFKPNqEYnFgGZoc8 # /A== # SIG # End signature block |