.NET Assembly: SharpHound
Explanation of command line options:
—NoSaveCache = Don’t save .bin cache file to disk. Helps prevent EDR/AV detection.
—ZipFileName = ZIP the output. Helps so you know when the execution is done.
Run “ps” Right after running sharphound — find the PID with the PPID of your beacon. That way you can monitor it to see if SharpHound dies.
—StatusInterval = How often to display progress. Default=30000 (30 seconds)
Example: SharpHound through Cobalt Strike execute-assembly:
- These commands use the version of SharpHound currently in the Pipeline (2022-04-04)
--CollectionMethod DCOnly --NoSaveCache --ZipFileName bh_08-18_1606.zip
--CollectionMethod All --NoSaveCache --ZipFileName bh_08-18_1606.zip
--CollectionMethod Session --Loop --NoSaveCache --ZipFileName bh_08-18_1606.zip
PowerShell - Invoke-BloodHound
- DCOnly Collection Methods — Marginally stealthy:
Invoke-BloodHound -CollectionMethod DCOnly -NoSaveCache -RandomFilenames -EncryptZip
- All Collection Methods — Not at all stealthy:
Invoke-BloodHound -CollectionMethod All -NoSaveCache -RandomFilenames -EncryptZip
- Session loop:
Invoke-BloodHound -CollectionMethod Session -Loop