Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

Feature request: Make host-unique randomized cache file names #48

Closed
mgeeky opened this issue Jan 21, 2019 · 3 comments
Closed

Feature request: Make host-unique randomized cache file names #48

mgeeky opened this issue Jan 21, 2019 · 3 comments

Comments

@mgeeky
Copy link

mgeeky commented Jan 21, 2019

Hi,

According to my field experience - default artifact's name raises an immediate alert from various EDR/HIPS agents, like FireEye HX. I'd like to propose a way to generate host-dependent unique name, that would be for instance generated from tuple of ($Env:Hostname, $Env:Username, $Env:Userdnsdomain). Such a tuple could then be fed to some kind of hashing/mangling function that would create randomized cache file effectively bypassing simple artifact-based HIPS rules.

CacheFile - Filename for the Sharphound cache. (Default: BloodHound.bin)
@mgeeky
Copy link
Author

mgeeky commented Jan 22, 2019

I've addressed my own issue in PR#50.

@rvazarkar
Copy link
Contributor

I addressed this issue with my own commit BloodHoundAD/SharpHound@e763032

The machine specific cache file name is generated using the machine sid of the local machine, so changing hostnames wont mess it up. It also renames the old BloodHound.bin on run to the new format so cache files aren't lost.

@rvazarkar
Copy link
Contributor

Thanks for the suggestion!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants