> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # SharpHound Data Collection and Permissions > Learn how to collect data. Applies to BloodHound Enterprise and CE SharpHound data collection utilizes the open-source [SharpHound Common](https://github.com/SpecterOps/SharpHoundCommon) library, maintained by the BloodHound Enterprise Engineering team. The scan types in SharpHound Enterprise and SharpHound Community Edition are named differently but effectively collect the same data. * BloodHound Enterprise scan types can be started with a [collection schedule](/collect-data/enterprise-collection/collection-schedule) or an [on-demand scan](/collect-data/enterprise-collection/on-demand-scan) * BloodHound Community Edition, you run scans with the [CollectionMethods flag](https://bloodhound.specterops.io/collect-data/ce-collection/sharphound-flags#enumeration-options) This article details all BloodHound Enterprise scan types and the required service account permissions. SpecterOps recommends collecting all data types because it provides maximum visibility into your environment. Local Group Memberships and Sessions are especially important, as they reveal Attack Paths to individual systems based on non-centralized configurations, see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection). The SharpHound collection service account does not require `Domain Admin` membership. While adding the account to local `Administrators` groups on domain computers will work, we recommend following the articles [Least-Privileged Collection](/collect-data/enterprise-collection/least-privileged-collection) (referenced below for each scan type) and [SharpHound Enterprise Service Hardening](/manage-bloodhound/securing-bloodhound-and-collectors/sharphound-hardening). ## Active Directory Structure Data Information about the objects and relationships within your Active Directory environment makes up the basic information necessary to identify attack paths within your environment. This information includes: * Domain trusts. * Object properties of users, groups, computers, GPOs, OUs containers, and Domain objects. * ACLs related to users, groups, computers, GPOs, OUs, containers, and Domain objects. * Enumerated objects contained in every OU, container, and Domain. * Enumerated memberships of all Groups. Reference: [Current Object Properties collected by SharpHound](https://github.com/SpecterOps/SharpHoundCommon/blob/68a68c6eab5375b46f975274b16ff1acdc35dc48/src/CommonLib/LdapQueries/CommonProperties.cs). **Collection Method:** SharpHound collects this information utilizing signed LDAP queries against a domain controller in the domain. **Default Permissions:** By default, all `Authenticated Users` may query almost all data from Active Directory utilized by BloodHound via LDAP. Higher privileges are required for other objects, see **Least-Privileged Option**. **Least-Privileged Option:** For information on how to collect all objects with least privilege, see [Least-Privileged Collection - AD Structure Data](/collect-data/enterprise-collection/least-privileged-collection#ad-structure-data). **Additional Data Sources:** (Optional) Deleted Objects Container: SharpHound can read the contents of the Deleted Objects container (also known as the AD Recycle Bin). By default, SharpHound cannot read the Deleted Objects container, but read access can be delegated. Collecting deleted objects affects data retention behavior in BloodHound Enterprise, see [Active Directory Recycle Bin](/collect-data/enterprise-collection/data-retention#active-directory-recycle-bin) for details. For delegation configuration, see [Least-Privileged Collection - AD Structure Data](/collect-data/enterprise-collection/least-privileged-collection#ad-structure-data). ## Local Groups / NTLM ### Local Group Membership Members of the following groups are enumerated: * Administrators * Remote Desktop Users * Distributed COM Users * Remote Management Users **Collection Method:** SharpHound collects this information utilizing [Remote SAM Enumeration](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls). **Default Permissions:** By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 require `Administrator` access to perform `Remote SAM` operations. **Least-Privileged Option:** This setting may be overridden with Group Policy to allow non-administrative collection. For detailed configuration steps using the "Network access: Restrict clients allowed to make remote calls to SAM" setting, see [Least-Privileged Collection - Local Group Membership](/collect-data/enterprise-collection/least-privileged-collection#local-group-membership). ### User Rights Assignments User Rights Assignments (URAs) in Windows define what privileges and capabilities security principals have on a system, independent of group membership. Collecting User Rights Assignments allows BloodHound to accurately determine the [CanRDP](/resources/edges/can-rdp) edge. Before SharpHound Common v3, BloodHound made assumptions based solely on group membership—assuming that membership in the `Remote Desktop Users` group alone gives users the ability to RDP to a system. However, to successfully use Remote Desktop, a user needs **both** membership in the `Remote Desktop Users` group **and** the User Rights Assignment `SeRemoteInteractiveLogonRight`. **Collection Method:** SharpHound collects this information utilizing the [LsaOpenPolicy](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy) function. **Required Permissions:** Only local `Administrators` may call the `LsaOpenPolicy` function. **Least-Privileged Option:** There is currently no known method to delegate this permission for least-privileged collection, see [Least-Privileged Collection - User Rights Assignments](/collect-data/enterprise-collection/least-privileged-collection#user-rights-assignments) for more details on the implications. ### NTLM SharpHound collects various registry values related to NTLM from the registry paths `SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`, `SYSTEM\CurrentControlSet\Control\Lsa\`, and `SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters` to create the `CoerceAndRelayNTLMTo*` edges. **Collection Method:** SharpHound collects these registry key values first via WMI access, and remote registry as a failover. **Default Permissions:** Collecting these registry key values requires membership of `Administrators` on the systems by default. **Least-Privileged Option:** Delegation is possible via Group Policy or registry modifications, see [Least-Privileged Collection - NTLM Relay Registry Paths](/collect-data/enterprise-collection/least-privileged-collection#ntlm-relay-registry-paths). ## Sessions SharpHound collects active session information to identify abusable sessions on domain-joined systems. These sessions are vulnerable to [OS Credential Dumping](https://attack.mitre.org/techniques/T1003/001/) from tools such as [Mimikatz](https://github.com/ParrotSec/mimikatz). **Collection Method:** SharpHound collects this information utilizing the [NetWkstaUserEnum](https://learn.microsoft.com/en-us/windows/win32/api/lmwksta/nf-lmwksta-netwkstauserenum) function. **Default Permissions:** Members of the local `Administrators` group may call this function. **Least-Privileged Options:** * On Windows Server operating systems, members of the local `Print Operators` group may also collect session data * Windows desktop operating systems do not have a local `Print Operators` group and require alternate approaches When using `Print Operators` for collection, you should remove dangerous default User Rights Assignments (`SeInteractiveLogonRight`, `SeLoadDriverPrivilege`, `SeShutdownPrivilege`) from this group to prevent privilege escalation on DCs. For detailed configuration instructions, including how to safely configure `Print Operators`, see [Least-Privileged Collection - Sessions](/collect-data/enterprise-collection/least-privileged-collection#sessions). ## Certificate Services Information about the Active Directory Certificate Service hierarchy within your Active Directory environment makes up the basic information necessary to identify ADCS attack paths within your environment. This information includes: * Certificate Templates * Root CAs * Enterprise CAs **Collection Method:** SharpHound collects this information utilizing signed LDAP queries against a domain controller in the domain. **Default Permissions:** By default, `Authenticated Users` can enumerate almost all Certificate Services data utilized by BloodHound Enterprise. **Additional Data Sources:** Two additional types of data can enhance the findings - [DC Registry](/collect-data/permissions#dc-registry) and [CA Registry](/collect-data/permissions#ca-registry). ## CA Registry SharpHound collects the following registry key values on enterprise CAs stored under `SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\`: * **EnrollmentAgentRights**: Contains restrictions for enrollment agents. BloodHound will take the restrictions into account when calculating ADCS ESC3 edges, and assume no restrictions if not collected, as no restrictions are configured by default. * **Security**: Contains the security descriptor for the enterprise CA (i.e., the permissions for Enroll, ManageCA, and ManageCertificates edges against the enterprise CA). This security descriptor is also stored in the AD object of the enterprise CA. SharpHound collects both. The CA registry security descriptor holds the effective permissions. Changes in the CA registry security descriptor are replicated to the AD copy, however, not the other way. Therefore, collecting the CA registry security descriptor may reveal permissions of the enterprise CA that are not present if only collecting the AD object. * **PolicyModules\\\\EditFlags**: SharpHound checks if the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is present, which is required to calculate ADCS ESC6 edges. * **RoleSeparationEnabled**: SharpHound checks whether role separation is enforced (a user cannot be both CA Administrator and Certificate Manager). The registry key values are described in detail in the [Certified Pre-Owned whitepaper](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf). **Collection Method:** SharpHound collects these registry key values via remote registry access on enterprise CAs. **Default Permissions:** `Authenticated Users` may collect these registry key values by default, see [Least-Privileged Collection - CA Registry](/collect-data/enterprise-collection/least-privileged-collection#ca-registry) for an explanation of why this is accessible. ## DC Registry/LDAP Services ### DC Registry SharpHound collects the registry values `Kdc\StrongCertificateBindingEnforcement` and `Schannel\CertificateMappingMethods` (described [here](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16)) to determine the allowed certificate mapping methods on domain controllers (DCs). The BloodHound ADCS edges ESC6, ESC9, and ESC10 require this data to be collected. SharpHound Enterprise additionally collects the `VulnerableChannelAllowList` value under `SYSTEM\CurrentControlSet\Services\Netlogon\Parameters` (described [here](https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#theGroupPolicy)) to determine which accounts are allowed to use Netlogon secure channel connections without secure RPC. **Collection Method:** SharpHound collects these registry key values via remote registry access. **Default Permissions:** Collecting these registry key values requires membership of `Administrators` on the DCs by default. **Least-Privileged Option:** Delegation is possible via Group Policy or registry modifications, see [Least-Privileged Collection - DC Registry](/collect-data/enterprise-collection/least-privileged-collection#dc-registry). ### LDAP Services SharpHound collects LDAP service configuration information from domain controllers. **Collection Method:** SharpHound collects this information by performing NTLM authentication tests against all domain controllers by default on ports 389 (LDAP) and 636 (LDAPS). **Default Permissions:** No special directory permissions are required beyond valid domain credentials and network access.