SharpHound

Create a random XOR byte and ingress and XOR a SharpHound payload to a temporary file on the target system. Bypass AMSI, load, and then run the XOR'd SharpHound payload in memory.

BloodHound shows both attackers and defenders attacks paths through Active Directory (AD) environments.

The SharpHound collector is used to gather the necessary data from the target environment to discover those attacks paths inside BloodHound. Automate staging a randomized collector and bypassing security mechanisms to gather that data.

This chain includes the following resources:(hover over elements to read details)

TTPs
  • Bypass AMSI, load, and run XOR'd SharpHound payload
  • Create an XOR byte
  • Ingress payload to XOR'd file
Supported platforms
  • windows
Supported executors
  • psh
Payloads
  • patchAMSI.ps1
  • SharpHound.exe
  • Certify.exe
User-Set Custom Variables
  • payload.uri: /discovery/bloodhound/SharpHound.exe
In The News
All SharpHound Flags, Explained — BloodHound 3.0.3 documentation
Threat Intel
GitHub - BloodHoundAD/SharpHound3: C# Data Collector for the BloodHound Project, Version 3

Use Prelude chains to test your defense with simulated adversaries.
New chains drop weekly on #TTPtuesday

The Prelude Operator App

Run attack chains in the Prelude Operator app, available on all systems. Defend your organization by mimicking real adversarial attacks, and more.

Download

Operator in Action

Upcoming

Next Chain Drop
6:10:20:10
2021-11-02

More Chains

← Previous

Conti (Discovery)

2021-09-21
tactics
discovery
credential-access
Tags
conti
hafnium
apt29 scenario 1
apt29
Discover computers, shares, and numbers of computers in the domain. Enumerate the local, domain, and enterprise administrators, then dump hashes for potentially Kerberoastable accounts.

Next →

JXA Access

2021-08-24
tactics
command-and-control
execution
persistence
Tags
Deploy a file-less JXA agent via a shell script and create a persistence application on the users desktop to launch a new agent any time the "fake" Safari application is clicked. Next, upgrade the file-less agent to a full stage-2 Pneuma agent.

Latest Drop

Sequoia

2021-10-26
tactics
discovery
resource-development
privilege-escalation
Tags
Stages a directory in the home folder to hold exploit seq_file directory structure. Performs a kernel version check and checks for vulnerable kernel settings. Discovers available system RAM and checks if it meets exploitation requirements. Finally, ingress the exploit payload and launch a privileged Pneuma agent.