Install SharpHound
SharpHound Enterprise System Requirements and Deployment Process
Deployment Process Overview
To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis:- Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below.
- Create a Service Account or gMSA that SharpHound will run as with the Service Account Requirements below.
- Install and Upgrade SharpHound Enterprise
- Create a BloodHound Enterprise collector client
- Run an On Demand Scan or Create a data collection schedule
Server Requirements
Hardware
| Minimum | Recommended | |
| Processor Cores | 2 physical cores | 4 physical cores |
| Memory | 4GB RAM | 16GB RAM |
| Hard disk space | 1GB for logging | 5GB for logging |
Software
- Windows Server 2019+
- .NET 4.7.2+
Network
- TLS on 443/TCP to your BloodHound Enterprise SaaS tenant URL (proxy is supported)
- LDAP to at least one domain controller in each domain requiring collection.
- By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
- LDAP over SSL on 636/TCP (configurable port)
- LDAP on 389/TCP (configurable port)
- LDAP over SSL is enforceable.
- LDAP channel signing is used for all queries.
- By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
- [Optional] If performing privileged collection (see Why perform privileged collection in SharpHound)
- SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems
- Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system
- [Optional] If performing DC Registry and CA Registry collection (see DC Registry and CA Registry details)
- SMB/RPC on 445/TCP to all DCs and domain-joined CAs
Service Account Requirements
The SharpHound Enterprise service will run as a domain-joined account and will utilize the permissions of that account for enumeration purposes.- Authenticated User within any domains requiring collection
- Granted “Log on as a service” User Rights Assignment on the SharpHound Enterprise server
- [Optional] If performing privileged collection (see Why perform privileged collection in SharpHound)
- Member of the local Administrators group on all in-scope domain-joined Windows systems
- [Optional] If performing DC Registry and CA Registry collection (see DC Registry and CA Registry details)
- Member of the local Administrators group on all domain controllers and domain-joined certificate authorities
- [Optional]: If Active Directory tombstoning is enabled
- Read privileges to the Deleted Objects container (see How to let non-administrators view the Active Directory deleted objects container)