Bypass AMSI, load, and run XOR'd SharpHound payload

/static/assets/windows-logo.svg
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound.
locked
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.

Login

Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains
SharpHound

2021-09-07

/static/assets/windows-logo.svg
Ingress, load, and run the SharpHound collector.