AzureHound icon indicating copy to clipboard operation
AzureHound copied to clipboard
verified publisher icon BloodHoundAD

Limit information collected by group-members list command

Open malacupa opened this issue 2 years ago • 6 comments

Dear BloodHound team,

This is possibly breaking change to only collect user IDs when collecting group members.

Reason for this is that if you run collection of this type in large environment you'd need VERY beefy machine to collect it. The I suppose you'd need even beefier machine to import it to neo4j. This happens because plenty of additional information are collected for each member while for most cases collecting group ID and matching user IDs should be enough. It happened to me that I was not even able to collect whole group memberships and the JSON file on disk was already over 200GB.

If this is unacceptable for list group-members, how about using this behavior at least for list az-ad? The list az-ad should collect information about users in each group anyway.

malacupa avatar Nov 16 '23 11:11 malacupa

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

malacupa seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You can retrigger this bot by commenting recheck in this Pull Request

github-actions[bot] avatar Nov 16 '23 11:11 github-actions[bot]

I have read the CLA Document and I hereby sign the CLA

malacupa avatar Nov 16 '23 11:11 malacupa

Hi @malacupa thanks for bringing this up. We have had some reports from our BloodHound slack of possibly unintentional/malformed data that is severely bloating AzureHound collection files and we have an internal ticket to track and investigate the issue. I will bring this suggestion up with the team, but we may hold off looking into this change until we can rule out the previous problem as the main source of bloat.

sircodemane avatar Nov 21 '23 20:11 sircodemane

Hello @malacupa, we have another PR up to address empty data being encoded and bloating the collection files. If you're interested, I'd love to have you check out that branch and see if it has an impact on your collections: https://github.com/BloodHoundAD/AzureHound/pull/67

sircodemane avatar Dec 08 '23 17:12 sircodemane

Had problems with a large capture, 15GB. This PR fixed the issues and drastically reduced the size of the capture and we were able to successfully import it to BloodHound.

1njected avatar Jan 16 '24 21:01 1njected

Hey all, this issue is resolved in https://github.com/BloodHoundAD/AzureHound/pull/67. This will be included in next week's release. Thank you for your effort and contributions!

StephenHinck avatar Feb 07 '24 21:02 StephenHinck

@malacupa - thank you very much for your effort on this. Even though we did not end up including your code within our fixes, we would still like to send you a swag package to show our gratitude.

If you'd be interested, please email me at shinck [at] specterops [dot] io with your shipping address and t-shirt size, and I'll get that on its way!

StephenHinck avatar Sep 06 '24 20:09 StephenHinck