This page describes how to configure and run the SharpHound Community Edition collection tool using an Active Directory gMSA.

Overview of gMSAs

Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.

Detailed software requirements from Microsoft are available here.

Microsoft gMSA documentation is available here.

Create a gMSA account

To create a gMSA account, start by preparing the domain.

  1. Log into a domain controller within the domain you want to create a gMSA.

  2. To validate whether the domain has a KDS Root Key configured, run:

    Get-KdsRootKey

    If there’s no result returned, the KDS Root Key has not been configured in the domain. Continue on to step 3.

    If there is a result returned, the KDS Root Key has already been configured in the domain. Skip step 3 and move on to Create the gMSA and password read group.

  3. Create the KDS Root Key.

    For a production environment, run:

    Add-KdsRootKey -EffectiveImmediately

    For a test environment, make the key available for immediate use by running:

    Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

Create the gMSA and password read group

Perform these steps from/against a writeable Domain Controller.

  1. Create a gMSA password read group for computers that should have access to the gMSA password.

    Browse to the desired location in Users and Computers and create the group. Alternatively, use this template to create the group using PowerShell:

$gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $pwdReadOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the password read group in

    New-ADGroup `
    -Name "$($gmsaName)_pwdRead" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path $pwdReadOUDN `
    -Description "This group grants the rights to retrieve the password of the BloodHound data collector (SharpHound) gMSA '$gmsaName'." `
    -PassThru

  1. Add the SharpHound server that performs the Sharphound collections as a member of the gMSA password read group. This allows it to access the password of the gMSA and run the service.

    Add the computer to the group in Users and Computers. Alternatively, use this template to add group membership using PowerShell:

    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $shServerDN = "<DISGINGUISHED_NAME>" # Distinguished Name of the SharpHound Enterprise server

    Add-ADGroupMember `
    -Identity "$($gmsaName)_pwdRead" `
    -Members $shServerDN `
    -PassThru

    When viewing the changes on a Windows server with the GUI enabled, you can see the OUs and the t0_gMSA_SHS_pwdRead group you created.

  2. Create the gMSA and allow the password read group to retrieve its password.

    On a Domain Controller, use this template to create the gMSA and set the retrieve right using PowerShell:

    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA
    $gmsaOUDN = "<DISGINGUISHED_NAME>" # Distinguished Name of OU to create the gMSA in

    New-ADServiceAccount -Name $gmsaName `
    -Description "SharpHound service account for BloodHound" `
    -DNSHostName "$($gmsaName).$((Get-ADDomain).DNSRoot)" `
    -ManagedPasswordIntervalInDays 32 `
    -PrincipalsAllowedToRetrieveManagedPassword "$($gmsaName)_pwdRead" `
    -Enabled $True `
    -AccountNotDelegated $True `
    -KerberosEncryptionType AES128,AES256 `
    -Path $gmsaOUDN `
    -PassThru
    If you receive the error "_New-ADServiceAccount : Key does not exist_", try again in 10 hours. This allows all Domain Controllers to converge AD replication of the KDS root key.

Prepare the SharpHound server

  1. Restart the SharpHound Enterprise server so that the server’s membership of the `pwdRead` group takes effect.
  2. Grant the gMSA the “Log on as a service” User Rights Assignment on the SharpHound server. This can be done through `secpol.msc` or policy deployment methods like a GPO.
  3. (Optional) Test that the SharpHound server can retrieve the gMSA password. See Test the gMSA.

Test the gMSA

Optionally test the gMSA server to make sure that the gMSA is working.

  1. Check the status of the RSAT PowerShell module. On the SharpHound Enterprise server, open a PowerShell as an Administrator and run:

    Get-WindowsCapability -Name RSAT*

    If the Install State shows “Installed”, skip to step 2, otherwise run:

    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

  2. In the elevated PowerShell, test that the SharpHound server can retrieve the gMSA password by running:

    $gmsaName = "t0_gMSA_SHS" # Name of the gMSA

    Test-ADServiceAccount -Identity $gmsaName

The test is successful if the command responds with True.

Configure User Rights

As Sharphound is launched with a PowerShell script instead of running as a service, you need to grant the gMSA account the Log on as a batch job User Right instead of the Log on as Service User Right. Do this with the Local Security Policy or Group Policy.

Configure user permissions

The Active Directory details collected by SharpHound depend on the permissions that the user running SharpHound has within the Domain. A regular, non-privileged user can run Shaprhound and collect a significant amount of information, but some of the Edges can only be collected by users with elevated permissions within the Domain.

At this time there are two main paths that could give the SharpHound gMSA account the permissions needed to collect the required Active Directory information:

  • Method 1: Make the SharpHound gMSA account a member of the Local Administrators group on all computers in the domain.
  • Method 2: Make the SharpHound gMSA account a member of the Domain Admins group.

Using an account that has Domain Admins permissions enables the SharpHound executable to collect all of the possible pertinent information from Active Directory for the best possible analysis by BloodHound.

Implement gMSA account protections

Regardless of whether the permissions that are given to the SharpHound gMSA account are using Method 1 or Method 2, consider additional protections.

See SharpHound Enterprise Service Hardening to learn about protections you can implement to prevent the SharpHound gMSA account from being compromised and leveraged by an attacker.

The gMSA account should be a member of the Active Directory Protected Users group. Tiering the Sharphound gMSA account access is another methodology you can implement.

Configure the gMSA account as a Domain Admin

Add the gMSA account to the Domain Admins group.

The account has a $ at the end of it. Enter the account in this format when adding it to the Domain Admins group.

You should also add the gMSA account to the Protected Users group. If you’re not familiar with the Active Directory Protected Users groups, refer to the Microsoft Documentation. There are a number of benefits to using this group to protect privileged accounts from being vulnerable to NTLM Relay attacks and other credential attacks.

Create a SharpHound PowerShell script to run as a scheduled task

Create a PowerShell script to run SharpHound with a scheduled task.

Create a script

To create the script:

  1. Create a directory named Sharphound in the C:\Support directory.

  2. Create a sub-directory named Results in the C:\Support\Sharphound directory.

  3. Copy the Sharphound executable to the C:\Support\Sharphound directory on the server where the scheduled task runs (the Sharphound executable should be zipped in a password protected zip file so that it doesn’t get prevented by Microsoft Defender during the file transfer).

    The PowerShell script contains:

    • The full path to the SharpHound executable
    • The command line arguments that you want to pass to SharpHound
    • Redirection of the output to a log file
    • Deletion of files in the C:\Support\Sharphound\Results directory that are older than 2 months
$FileDateStamp = Get-Date -Format FileDateTime  
C:\Support\SharpHound\SharpHound.exe -c all --outputdirectory C:\Support\SharpHound\Results\ --zipfilename <DomainName>_BloodHound_gmsa.zip *> "C:\Support\SharpHound\Results\$FileDateStamp-<DomainName>_sharphound-gmsa.log"  
  
$Folder = "C:\Support\Sharphound\Results"  
  
#Delete files older than 2 months  
Get-ChildItem $Folder -Recurse -Force -ea 0 |  
? {!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-60)} |  
ForEach-Object {  
   $_ | del -Force  
   $_.FullName | Out-File "C:\Support\Sharphound\$FileDateStamp-deletedlog.txt"  
   }

  1. Save the PowerShell script named Sharphound_Collection.ps1 to the C:\Support\Sharphound directory.

  2. Modify the names of the base —zipfilename and the log file for each specific domain where this is deployed.

The resulting directory structure should resemble:

The resulting SharpHound_Collection.ps1 PowerShell script should resemble:

Create a scheduled task

To create the scheduled task, choose the PowerShell method or the GUI method. The PowerShell method is the easiest way to create the scheduled task.

To create the scheduled task with PowerShell:

  1. Run these PowerShell commands, modifying files names and domain names as necessary:

    $arg = "-ExecutionPolicy ByPass -NoProfile -File C:\Support\SharpHound\Sharphound_Collection.ps1"  
$ta = New-ScheduledTaskAction -Execute C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -Argument $arg  
$tt = New-ScheduledTaskTrigger -At 9:00 -Weekly -DaysOfWeek Monday  
$ap = New-ScheduledTaskPrincipal -UserID 2022TESTING\t0_gMSA_SHS$ -LogonType Password   
Register-ScheduledTask SharpHoundCollection –Action $ta –Trigger $tt –Principal $ap

  2. Construct the PowerShell commands needed for your environment in preparation for executing them in an elevated PowerShell shell.

  3. Copy and paste the PowerShell commands into the elevated PowerShell shell to create the scheduled task.

  4. After refreshing the Scheduled Tasks MMC, you should see the newly created scheduled task that runs as the gMSA account.

To create the scheduled task with the GUI:

  1. Open the Scheduled Tasks MSC on the SharpHound server and create a scheduled task. In the example shown below, the scheduled task name is SharpHound.

  2. Configure the scheduled task to run on the desired schedule.

  3. Configure the scheduled task with this Action:

    • Program / script: powershell.exe
    • Arguments: -ExecutionPolicy ByPass -File C:\Support\SharpHound.ps1

  4. Click OK on the Edit Action.

  5. Configure the scheduled task to run as a standard user account at this time.

  6. Click OK on the scheduled task to complete the creation.

  7. Provide the password for the standard user account when prompted and click OK.

You should now have a scheduled task to run SharpHound created.

Modify the scheduled task to run as the gMSA account

At this point you should see the scheduled task setup to run using the user account you previously configured.

Run this following command to modify the scheduled task to run as the gMSA account:

schtasks /change /TN \SharpHound /RU 2022TESTING\t0_gMSA_SHS$ /RP

An alternate PowerShell method of modifying the scheduled task to run as the gMSA account:

New-ScheduledTaskPrincipal -Id SharpHound -UserID Domain\GMServiceAccount$ -LogonType Password -RunLevel Highest

You should see a message stating that command was successful.

If you open the scheduled task you should see that the account it will run as is the gMSA account.

Test the SharpHound scheduled task

To test the scheduled task running as the gMSA account, right click on the scheduled task and click Run.

When completed, a zip file should appear with the results.

Thank you to @robertstrom for your contribution and permission in modifying your original docs for inclusion in BloodHound’s documentation for other users!