SharpHound Enterprise Data Collection and Permissions

  • Updated

This article applies to BHE

SharpHound Enterprise data collection occurs utilizing the open-source SharpHound Common library, maintained by the BloodHound Enterprise Engineering team.

SharpHound Enterprise can collect four types of data:

  • Active Directory Structure Data
  • Local Group Membership
  • User Rights Assignements
  • Active Sessions

The latter three can only be done on domain-joined Windows systems, and requires privileged collection to be configured, see Why perform privileged collection in SharpHound. This collection helps understand Attack Paths to individual systems based on non-centralized configurations.

AD Structure Data

Information about the objects and relationships within your Active Directory environment makes up the basic information necessary to identify attack paths within your environment. This information includes:

  • Domain trusts.
  • Object properties of users, groups, computers, GPOs, OUs containers, and Domain objects.
  • ACLs related to users, groups, computers, GPOs, OUs, containers, and Domain objects.
  • Enumerated objects contained in every OU, container, and Domain.
  • Enumerated memberships of all Groups.

Reference: Properties collected by SharpHound.

Collection and Permissions

SharpHound collects this information utilizing signed LDAP queries against a domain controller in the domain.

By default, all Authenticated Users have the ability to enumerate almost all data utilized by BloodHound Enterprise. Additionally, granting the service user access to the Deleted Objects container lets BloodHound Enterprise more rapidly reconcile deleted objects (See this link from Microsoft on granting this access).

Local Group Membership

Members of the following groups are enumerated:

  • Administrators
  • Remote Desktop Users
  • Distributed COM Users
  • Remote Management Users

Collection and Permissions

SharpHound collects this information utilizing Remote SAM Enumeration.

By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 require Administrator access to perform RemoteSAM operations. Although this setting may be overridden with Group Policy, this is the only permission required by SharpHound for which Microsoft supports modification.

User Rights Assignments

Prior to SharpHound Common v3, BloodHound made assumptions about group membership and Attack Paths. For example, BloodHound would assume that membership in the Remote Desktop Users group on its own gives users the ability to utilize Remote Desktop to access a system. The reality of necessary permissions is more complex, and understanding that access requires analysis of User Rights Assignments within Windows.

Collection and Permissions

SharpHound collects this information utilizing the LsaOpenPolicy function.

Collecting information about User Rights Assignments requires analyzing LSA Policy on each domain-joined system utilizing the LsaOpenPolicy function. Only Local Administrators may call the LsaOpenPolicy function.

Active Sessions

SharpHound collects active session information to identify abusable sessions on domain-joined systems. These sessions are vulnerable to OS Credential Dumping from tools such as Mimikatz.

Collection and Permissions

SharpHound collects this information utilizing the NetWkstaUserEnum function.

Only members of the local Administrators group may call this function.