SharpHound — Stealth Collection
Stealth mode — avoids noisy session and local admin enumeration.SharpHound — In-Memory Execution
Load and run SharpHound entirely in memory (no disk drop).SharpHound — Artifact Cleanup
Remove output files after exfil.BloodHound.py — Stealth Options
DC-only — no host enumeration, no SMB sessions.Detection Signatures to Avoid
Skip session enumeration (very noisy, triggers EDR).NetSessionEnum (logged by Defender / Sysmon Event 7045).