Purpose
This guide explains how to collect data ad hoc for BloodHound Enterprise (BHE) using the BloodHound Community Edition (BHCE) collector: SharpHound CE.
It should be used by BloodHound Enterprise users who cannot deploy SharpHound Enterprise, for example in:
- Environments with no internet access, such as SCADA or OT environments
- Merger and acquisition scenarios, to assess risk before to assess risk before integration or consolidation of IT infrastructure
- Quick deployment scenarios, to get an initial assessment before a full SharpHound Enterprise deployment
Note that SharpHound CE may require allow-listing in endpoint protection solutions, as it is unsigned and will likely be flagged as malicious.
SharpHound CE collects the same data as SharpHound Enterprise since they both use the same collection library. However, SharpHound CE does not support integration with the SaaS portal for a status overview and easily configurable schedules for continuous automatic collection and upload.
Prerequisites
- Logged in as a user role, which is authorized to perform file ingest, see Administering users and roles
- Access to an account and computer in the in-scope domain or a domain trusted by the in-scope domain
Process
Perform SharpHound CE data collection
- Download the latest version of SharpHound CE from GitHub releases
- Choose a data collection method
-
DCOnly
is the recommended starting method and is equivalent to BHE's Active Directory Structure Data + Certificate Services -
All
performs all collection methods - Learn about collection methods and flags:
-
- Start the collection
.\SharpHound.exe -c DCOnly
- Once the collection finishes, the output will be a '.zip' file containing JSON data
Upload data to BloodHound Enterprise
- Log in to BloodHound Enterprise
- Navigate to the File Ingest page
- From the Main Screen, click on the cog wheel in the upper right hand corner
- From the drop down menu, select 'Administration'
- In the left margin, select 'File Ingest' under the 'Data Collection' heading
- Select 'Upload File(s)' and in the pop-up window, drag and drop the output '.zip' file and selecrt 'Upload'
- BloodHound Enterprise will parse and process the data, making it available for analysis
Analyzing Data and Using BloodHound Enterprise Features
- Dashboard and Visualization: Review key insights and summaries.
- Running Queries: Explore specific security aspects and visualize attack paths.
- Posture Reporting: Visualize and track exposure within your Enterprise
Best Practices for Secure Environments
- Minimize Data Collection Scope: Focus on necessary data to limit exposure.
- Secure Data Handling: Ensure secure storage and handling of collected data.
- Regular Updates and Maintenance: Keep SharpHound CE updated.
- Verify integrity:
Outcome
Once ingest and analysis is completed, BloodHound Enterprise will present a comprehensive report with actionable recommendations on the Attack Paths page.
Related to
Updated