Red team operators are often faced with the conundrum of running SharpHound and risking detection, or fighting the uphill battle of mapping Active Directory attack paths without BloodHound’s aid. In this talk, we’ll examine a workflow that grants operators granular control over the speed and depth of Active Directory enumeration, while still leveraging the power of BloodHound’s relationship mapping and Cypher queries. The discussion will also cover common SharpHound detection strategies and how to account for them when approximating a SharpHound data collection.