Lorenzo Bernardi

I investigated more and found out the json exports correctly have the multiple domain policies with the same name and different GUIDs. However, when I query Neo4j DB directly, it...

This issue might have to be moved to BloodHound repo

Actually, it looks like in the OU collection, the GPO is referenced by name as well: Extract from `ous` json: ``` [...] { "Properties" : { "name" : "DOMAIN [email protected]",...

If such "Event Hub" already exists, shouldn't it be possible to integrate a listener in Covenant that writes event to a log file?

Really nice, indeed! Let's check what you have in this PR for now and then we'll see if some other things needs to be added/adapted to get an exhaustive view...

I think it would be easier to parse in logstash with something else than a newline delimited (if possible for you) 👍 Regarding the logged data, what would be super...

Something like this could be more convenient for parsing: ``` 2020-09-03 16:43:20.8089||INFO|Covenant.Core.LoggingService|[OnCreateCovenantUser]|ab10a915-3cee-4bf9-9cca-699bfed31fe1|6E3C6A15-B39F-BF13-82FD-BD2456FD1DE2 2020-09-03 16:43:20.9877||INFO|Covenant.Core.LoggingService|[OnCreateListener]|ListenerID:1|BindAddress:0.0.0.0|BindPort:80|ConnectAddresses:10.10.0.4|ConnectPort:80 2020-09-19 15:23:24.7490||INFO|Covenant.Core.LoggingService|[OnCreateCovenantUser]|0e89d748-37a5-4201-8a12-f1d4e28ce457|44F2CAEC-92A6-C1F2-F4B2-D302936C815F 2020-09-19 15:23:24.9657||INFO|Covenant.Core.LoggingService|[OnCreateListener]ListenerID:1|BindAddress:0.0.0.0|BindPort:80|ConnectAddresses:10.10.0.2|ConnectPort:80 2020-09-19 15:23:38.4850||INFO|Covenant.Core.LoggingService|[OnCreateHostedFile]|ID:1|Path:/path/to/file.exe 2020-09-19 15:26:28.8140||INFO|Covenant.Core.LoggingService|[OnCreateGrunt]|5|e840756b32|DESKTOP-CQRINT5|Medium|10.10.0.2|DESKTOP-CQRINT5 ```

That's great, thanks! I'll give it a try tomorrow and test parsing the output. Why did you decide not to log the command output?

makes sense, could we make this a configuration setting instead? Just to avoid having the users needing to change the code itself to make it work 😄

Awesome, thanks @cobbr !