Skip to main content

Documentation Index

Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise only The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is deployed as a signed Windows service, runs under the context of a domain account, and collects from one or more domains utilizing the configured service account.

Deployment Process Overview

To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis:
  1. Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below.
  2. Create a Service Account or gMSA that SharpHound will run as with the Service Account Requirements below.
  3. Install and Upgrade SharpHound Enterprise
  4. Create a BloodHound Enterprise collector client
  5. Run an On Demand Scan or Create a data collection schedule

Server Requirements

Hardware

ResourceMinimumRecommendedLarge enterprise
Processor Cores2 physical cores4 physical cores6 physical cores
Memory4GB RAM16GB RAM32GB RAM
Hard disk space1GB for logging5GB for logging20GB for logging
These recommendations should be considered a baseline and may need to be increased depending on the size and complexity of your environments.
Minimums apply to test or development deployments. Where multiple collectors are deployed on a single host, scaling will be necessary to maintain performance.

Software

  • Windows Server 2019+
  • .NET 4.7.2+

Network

  • TLS on 443/TCP to your BloodHound Enterprise SaaS tenant URL (proxy is supported)
  • LDAP to at least one domain controller in each domain requiring collection.
    • By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
      • LDAP over SSL on 636/TCP (configurable port)
      • LDAP on 389/TCP (configurable port)
    • LDAP over SSL is enforceable.
    • LDAP channel signing is used for all queries.
  • [Optional] If performing privileged collection (see Why perform privileged collection in SharpHound)
    • SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems
    • SMB/RPC on 135/TCP to all in-scope domain-joined Windows systems for NTLM relay-based collection
    • Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system
  • [Optional] If performing DC Registry and CA Registry collection (see DC Registry and CA Registry details)
    • SMB/RPC on 445/TCP to all DCs and domain-joined CAs

Service Account Requirements

Run the SharpHound Enterprise service under a domain-joined account that has the Log on as a service User Rights Assignment on the SharpHound Enterprise server. This account can be a traditional user account or a Group Managed Service Account (gMSA). The service account needs permissions to collect data from your target domains and domain-joined systems as detailed in SharpHound Data Collection and Permissions. We recommend following SharpHound Enterprise Service Hardening.
The SharpHound collection service account does not require Domain Admin membership.
Data typeDefault permissionsLeast-privileged option
Active Directory StructureAuthenticated Users can read most required data via LDAPDelegate additional read permissions where needed (for example, restricted AD objects and dMSA)
Local Group MembershipLocal AdministratorsDelegate Remote SAM access with Group Policy configuration
User Rights AssignmentsLocal AdministratorsNo known delegation path today
NTLMLocal AdministratorsDelegate registry access with Group Policy or registry configuration
SessionsLocal AdministratorsOn Windows Server, Print Operators can be used; Windows desktops still require local Administrators
Certificate ServicesAuthenticated Users can collect most ADCS LDAP dataAlready least-privileged by default for LDAP-collected certificate services data
CA RegistryAuthenticated Users can collect CA registry data when AD CS is installedNo additional delegation is typically required
DC RegistryLocal Administrators on domain controllersDelegate access via Group Policy or registry configuration for required paths
If Active Directory tombstoning is enabled, the service account must also have read permissions on the deleted objects container.

Integrated Windows Authentication (IWA)

If you want to use IWA for SharpHound, the following additional requirements apply:
  • Active Directory Federation Services (ADFS) server must be accessible in your network environment
    Both the system running SharpHound and the BloodHound Enterprise tenant require network connectivity to the ADFS server
  • Service account must be configured in ADFS to support Windows authentication for SharpHound
  • Client ID property must be registered in ADFS (provided during collector client creation)
  • Local SharpHound configuration must include IWA-specific properties in the settings.json file