BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing
XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI)
in the current powershell process to allow loading of SharpHound.
View Command
To view this TTPs command, you must be logged in with a professional or enterprise license.