SharpHound Enterprise Cross-Trust Collection

This article applies to BHE

By default, SharpHound Enterprise only collects data from the same domain the service account belongs to. However, it is possible to configure the collection scope to include domains trusting the service account domain.

Configure SharpHound Enterprise Client for Cross-Trust Collection

When configuring a SharpHound Enterprise client, it is possible to specify additional domains to be collected by entering domain names in "Scope Collection to Multiple Domains".

Alternatively, the SharpHound Enterprise client can collect from all domains trusting the service account domain by checking the option "Collect from all domains trusting the SharpHound service account, including transitively". This option will also collect from trusting domains in other forests.

The collection across a trust will fail if:

  • The Kerberos-supported encryption types between domains/forests do not match.
  • Authentication has been restricted, e.g., using authentication policy silos or IPSec.
  • There is no network access from the SharpHound server to the trusting domain's DCs and domain-joined Windows systems in scope for privileged collection.