Wednesday, October 27, 2021

Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike

This post details some proof-of-concept changes to SharpHound’s output functionality to avoid forensic artefacts. Namely, doing everything in-memory, and avoiding ever touching disk. This also leverages the fantastic recent changes to BOF.NET to support sending memory buffers to Cobalt Strike as pseudo file downloads. For this, two new (non-official) SharpHound flags are introduced: –MemoryOnlyJSON and –MemoryOnlyZIP (the latter having a dependency on BOF.NET). Code here.

Existing evasion fea…

Read More

Latest news
Related news