By default, SharpHound Enterprise only collects data from the same domain the service account belongs to. However, it is possible to configure the collection scope to include domains trusting the service account domain.
When configuring a SharpHound Enterprise client, it is possible to specify additional domains to be collected by entering domain names in “Scope Collection to Multiple Domains”.
Alternatively, the SharpHound Enterprise client can collect from all domains trusting the service account domain by checking the option “Collect from all domains trusting the SharpHound service account, including transitively”. This option will also collect from trusting domains in other forests.
If selective authentication is enabled on a trust, the SharpHound Enterprise service account must explicitly be granted read permissions on all AD objects in all domains of the targeted forest to perform collection.
Kerberos authentication works by default for all Active Directory trust types except external trusts. SharpHound Enterprise supports collection across external trusts via two mechanisms.
Administrators can enable Kerberos authentication across external trusts by adding the name of the other domain to the Use forest search order policy setting on Domain Controllers.
We recommend deploying this setting to all Domain Controllers in domains with external trusts to avoid using the older and less secure NTLM authentication.
SharpHound Enterprise will, by default, only support Kerberos authentication for the LDAP connections to Domain Controllers for Active Directory Structure Data collection. This will cause the collection across the external trust to fail without modifying SharpHound’s default behavior in the configuration file “settings.json”. The configuration file default path is described in SharpHound Enterprise Local Configuration.
To enable support for auto-negotiation in LDAP connections:
If NTLM-fallback is enabled, we recommend denying outbound NTLM authentication from the SharpHound server to all servers except Domain Controllers in domains with external trust relationships, as described in SharpHound Service Hardening Guidelines in the NTLM cracking (and relaying) remediation section.
The collection across a trust will fail if:
By default, SharpHound Enterprise only collects data from the same domain the service account belongs to. However, it is possible to configure the collection scope to include domains trusting the service account domain.
When configuring a SharpHound Enterprise client, it is possible to specify additional domains to be collected by entering domain names in “Scope Collection to Multiple Domains”.
Alternatively, the SharpHound Enterprise client can collect from all domains trusting the service account domain by checking the option “Collect from all domains trusting the SharpHound service account, including transitively”. This option will also collect from trusting domains in other forests.
If selective authentication is enabled on a trust, the SharpHound Enterprise service account must explicitly be granted read permissions on all AD objects in all domains of the targeted forest to perform collection.
Kerberos authentication works by default for all Active Directory trust types except external trusts. SharpHound Enterprise supports collection across external trusts via two mechanisms.
Administrators can enable Kerberos authentication across external trusts by adding the name of the other domain to the Use forest search order policy setting on Domain Controllers.
We recommend deploying this setting to all Domain Controllers in domains with external trusts to avoid using the older and less secure NTLM authentication.
SharpHound Enterprise will, by default, only support Kerberos authentication for the LDAP connections to Domain Controllers for Active Directory Structure Data collection. This will cause the collection across the external trust to fail without modifying SharpHound’s default behavior in the configuration file “settings.json”. The configuration file default path is described in SharpHound Enterprise Local Configuration.
To enable support for auto-negotiation in LDAP connections:
If NTLM-fallback is enabled, we recommend denying outbound NTLM authentication from the SharpHound server to all servers except Domain Controllers in domains with external trust relationships, as described in SharpHound Service Hardening Guidelines in the NTLM cracking (and relaying) remediation section.
The collection across a trust will fail if: