Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Make host-unique randomized cache file names #48

Closed
mgeeky opened this Issue Jan 21, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@mgeeky
Copy link

mgeeky commented Jan 21, 2019

Hi,

According to my field experience - default artifact's name raises an immediate alert from various EDR/HIPS agents, like FireEye HX. I'd like to propose a way to generate host-dependent unique name, that would be for instance generated from tuple of ($Env:Hostname, $Env:Username, $Env:Userdnsdomain). Such a tuple could then be fed to some kind of hashing/mangling function that would create randomized cache file effectively bypassing simple artifact-based HIPS rules.

CacheFile - Filename for the Sharphound cache. (Default: BloodHound.bin)
@mgeeky

This comment has been minimized.

Copy link
Author

mgeeky commented Jan 22, 2019

I've addressed my own issue in PR#50.

@rvazarkar

This comment has been minimized.

Copy link
Collaborator

rvazarkar commented Mar 7, 2019

I addressed this issue with my own commit e763032

The machine specific cache file name is generated using the machine sid of the local machine, so changing hostnames wont mess it up. It also renames the old BloodHound.bin on run to the new format so cache files aren't lost.

@rvazarkar rvazarkar closed this Mar 7, 2019

@rvazarkar

This comment has been minimized.

Copy link
Collaborator

rvazarkar commented Mar 7, 2019

Thanks for the suggestion!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.