The following are common questions about the data collection capabilities provided by the SharpHound Enterprise service.
How long does collection take?
Collection time can vary from minutes to hours depending on the size of the environment (but other complicating factors can contribute to longer durations).
Example full scan and upload durations with privileged collection:
- 15,000 users + groups, 4,000 computers, and AD CS: 45 minutes
- >500,000 computers , and AD DS: 3 hours
How does SharpHound select which domain controller to use with auto-negotiation?
SharpHound automatically selects the best Domain Controller based on information returned from Active Directory.
What do the LDAP errors mean in a SharpHound run.log?
If you see an error in run.log that looks something like this:
2022-08-05T09:18:13.6406652-04:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 52. (null). The LDAP server returned an unknown error..
You may reference this link to understand the meaning of the exception code by number: https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes
Hows does SharpHound Enterprise interact with antivirus?
SharpHound Enterprise installs as a signed Windows service. For this reason, antivirus products tend not to alert on the service.
Notable exceptions include:
- Behavioral analytics tools: Any security tool that performs behavioral identification of scanners will flag SharpHound Enterprise as a scanner during local privileged collection. Typically these cannot block activity but will generate alerts to the SOC.
- Cisco Umbrella: As each customer is deployed utilizing their own domain, Umbrella commonly flags the domain as new and will quarantine it until excluded by an administrator.
Updated