SharpHound Community Edition

This article applies to BHCE

SharpHound Community Edition (CE) is the official data collector for BloodHound CE. It is written in C# and uses native Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

SharpHound CE can be obtained in a few ways:

  • From the BloodHound CE interface as a pre-compiled binary
    • ⚙️ → Download Collectors, and click the button Download SharpHound
  • From the SharpHound repository releases as .ps1 and a pre-compiled binary
  • Build it from source with the source code on the SharpHound repository

 

Basic Usage

You can collect plenty of data with SharpHound CE by simply running the binary itself with no flags set:

C:\> SharpHound.exe

SharpHound CE will automatically determine what domain your current user belongs to, find a domain controller for that domain, and start the “default” collection method. The default collection method will collect the following pieces of information from the domain controller:

  • Security group memberships
  • Domain trusts
  • Abusable rights on Active Directory objects
  • Group Policy links
  • OU tree structure
  • Several properties from computer, group and user objects
  • SQL admin links

Additionally, SharpHound CE will attempt to collect the following information from each domain-joined Windows computer:

  • The members of the local administrators, remote desktop, distributed COM, and remote management groups
  • Active sessions, which SharpHound CE will attempt to correlate to systems where users are interactively logged on

When finished, SharpHound CE will create several JSON files and place them into a zip file. Drag and drop that zip file into the BloodHound GUI, and the interface will merge the data into the database.

The Session Loop Collection Method

BloodHound uses graph theory to find attack paths in Active Directory, and the more data you have, the more likely you are to find and execute attack paths successfully. Much of the data you initially collect with SharpHound CE will not likely change or require updating over the course of a typical red team assessment - security group memberships, Active Directory permissions, and Group Policy links change relatively rarely. That data can be collected one time, and not again.

User sessions are a bit different because users, especially privileged users, log on and off different systems daily. How many systems does a typical help desk user or server admin log into on any given day?

SharpHound CE’s Session Loop collection method makes this very easy:

C:\> SharpHound.exe --CollectionMethods Session --Loop

This will run SharpHound CE’s session collection method for 2 hours, generating a zip file after each loop ends. When done, collect all the zip files and drag and drop them into the BloodHound GUI.

If you want to specify a different loop time, use the --Loopduration flag with the HH:MM:SS format to specify how long you want SharpHound CE to perform looped session collection. For example, if you want SharpHound CE to perform looped session collection for 3 hours, 9 minutes, and 41 seconds:

C:\> SharpHound.exe --CollectionMethods Session --Loop --Loopduration 03:09:41

Running SharpHound CE from a Non Domain-Joined System

While not an officially supported collection method, and not a collection method we recommend you do, it is possible to collect data for a domain from a system that is not joined to that domain. To do so, carefully follow these steps:

  1. Configure your system DNS server to be the IP address of a domain controller in the target domain.
  2. Spawn a CMD shell as a user in that domain using `runas` its `/netonly` flag. You will be prompted to enter a password. Enter the password and hit enter.
    C:\> runas /netonly /user:CONTOSO\Jeff.Dimmock cmd.exe
  3. A new CMD window will appear. If you type `whoami`, you will not see the name of the user you’re impersonating. This is because of the `/netonly` flag: the instance of CMD will only authenticate as that user when you authenticate to other systems over the network, but you are still the same user you were before when authenticating locally.
  4. Verify you’ve got valid domain authentiation by using the `net` binary. If you can see the SYSVOL and NETLOGON folders, you’re good.
    C:\> net view \\contoso\
  5. Run SharpHound CE, using the `-d` flag to specify the AD domain you want to collect information from. You can also use any other flags you wish.
    C:\> SharpHound.exe -d contoso.local

Building SharpHound CE from Source

SharpHound CE is written using C# 9.0 features. To easily compile this project, use Visual Studio 2019.

If you want to compile on previous versions of Visual Studio, you can install the Microsoft.Net.Compilers nuget package.

Building the project will generate an executable and a PowerShell script that encapsulates the executable. All dependencies are rolled into the binary.

SharpHound CE vs. Antivirus

Many anti-virus engines have signatures for SharpHound CE. You may even find that Chrome or other browsers will warn you against downloading SharpHound CE, saying the binary is malicious. This isn’t completely unexpected, as BloodHound is primarily a tool used by penetration testers and red teamers to find attack paths in Active Directory. While BloodHound has plenty of defensive value, antivirus and browser vendors continue to flag SharpHound CE as malicious.

If you are on the red team side, you can employ AV bypass strategies to avoid getting caught by AV. One of the best things you can do is stay completely off-disk when running SharpHound CE. Many command-and-control tools have in-memory .net assembly execution capabilities, such as Cobalt Strike’s execute-assembly and Covenant’s assembly commands. Using these commands will keep SharpHound CE totally off-disk when run on your target, which will go a very long way toward evading basic AV signatures.

If you are on the blue team side, we recommend you use BloodHound Enterprise which is built for defenders and has a trusted and signed SharpHound Enterprise binary that does not get flagged by antivirus. You can also use the same AV bypass techniques used by the red team, or you can request an exception for the SharpHound CE binary itself or possibly a folder that you run SharpHound CE out of. Be aware, though, that AV-excluded folders and files can commonly be enumerated by low-privilege users running on the same system, so try to be as specific as possible with your allowlist exceptions.

Finally, remember that SharpHound CE is free and open source. You can build SharpHound CE from the source and apply your own obfuscation techniques to the source code itself during that build process. Several resources are available to help get started here:

Updated