It is about time for the SharpHound project to officially support a cross OS compatible collector or migrate to a cross OS compatible project altogether. It can be argued that native Windows C#/PowerShell is not the right choice for this project, despite the conveniences it brings. I will argue why a cross OS compatible version of SharpHound is now necessary given the modern endpoint security landscape:

• Modern endpoint protection in Windows environments makes it increasingly difficult to perform SharpHound collections on the endpoint itself, shops have been executing it from non-domain joined systems from Windows for a while now to evade this problem. Even with DLL unhooking, ETW/AMSI patching with hardware breakpoints, and a lot of operational security, LDAP query bursts are still visible to the endpoint protection product and EDR driver minifilters are increasingly difficult to evade especially given the JSON files SharpHound produces and tries to drop on endpoints
• A lot of penetration testing teams only get authorization to deploy 1 Kali Linux device in a client environment where they cannot run SharpHound due to its native Windows design
• Remote collection gathering is preferred for operational security and is really becoming a requirement for successful collections given the current endpoint security landscape, the current remote collection functionality in SharpHound relies on running it from a non-domain joined Windows system, there is no Linux support for remote collection gathering and therefore no remote collector supported by Linux
• The community is already producing their own remote cross OS compatible collectors and it is creating inconsistencies between the versions due to open source developers being in charge of maintaining them on different schedules
  • BloodHound.py (CE branch)
  • RustHound-CE

For the penetration testing team who is only getting authorization to deploy 1 Kali Linux device, the inconsistencies between the remote cross OS open source collectors creates a situation where a team must put hours into a development cycle to add missing properties and features being added in the main SharpHound repository hosted by SpecterOps. Eventually, the community collectors will trump SpecterOps version due to how many people need them. Consider helping the community out and support a cross OS SharpHound moving forward that supports remote collection from Linux as well as Windows.