SharpHound Collection FAQ

This article applies to BHE

The following are common questions about the data collection capabilities provided by the SharpHound Enterprise service.

How do you recommend securing the SharpHound service account?

See our SharpHound Service Hardening Guidelines.

How long does collection take?

Collection time depends largely on the size of the environment (but other complicating factors can contribute to longer durations). In larger environments with >500,000 computers, the full collection for both AD Structure and local privileged data takes about 3 hours.

How does SharpHound select which domain controller to use with auto-negotiation?

SharpHound utilizes the PdcRoleOwner property to identify and utilize the Primary Domain Controller.

What impact will a SharpHound collection have on my network?

Configurations will vary, but based on analysis in several customers' environments, the following represents a rough estimate of the network impact of a collection:

  • To one single domain controller (unprivileged, AD Collection)
    • ~2MB / 100,000 AD objects / scan
    • ~375 sessions / 100,000 AD objects / scan
  • To all workstations accessible to the SharpHound Enterprise service and service account (privileged, local groups, and sessions collection)
    • ~15 KB/scan
    • ~15 sessions / scan

All scans run with a maximum of 50 simultaneous threads.

What do the LDAP errors mean in a SharpHound run.log?

If you see an error in run.log that looks something like this:

2022-08-05T09:18:13.6406652-04:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 52. (null). The LDAP server returned an unknown error..

You may reference this link to understand the meaning of the exception code by number:

Hows does SharpHound Enterprise interact with antivirus?

SharpHound Enterprise installs as a signed Windows service. For this reason, antivirus products tend not to alert on the service.

Notable exceptions include:

  • Behavioral analytics tools: Any security tool that performs behavioral identification of scanners will flag SharpHound Enterprise as a scanner during local privileged collection. Typically these cannot block activity but will generate alerts to the SOC.
  • Cisco Umbrella: As each customer is deployed utilizing their own domain, Umbrella commonly flags the domain as new and will quarantine it until excluded by an administrator.