SharpHound Enterprise Local Configuration

This article applies to BHE


Local configuration of SharpHound Enterprise occurs within two files, both located within the installation directory of the service (default location is C:\Program Files (x86)\SHService).


Modifying SharpHound Settings

To modify any settings below on your SharpHound configuration, you must stop the SharpHound service. The process to modify SharpHound's settings files is as follows:

  1. Open the Windows service manager window.

  2. Find the SharpHound Delegator service, click on it, then click Stop.

  3. Open Notepad as an Administrator.
    1. Click the Start menu.
    2. Search for or locate the Notepad program.
    3. Right-click on Notepad.
    4. Click Run as Administrator.
    5. Click Yes on the User Access Control prompt.

  4. Open the desired settings file requiring modification, make your change, and then save the file.

  5. Return to the Windows service manager window, find the SharpHound Delegator service, then click Start.


Settings Files

settings.json

settings.json is a plaintext JSON file that defines information about how the service behaves, including the domain of your BloodHound Enterprise tenant.

The following table outlines supported fields and their default values:

Field Type Description Default value Example value
RestEndpoint String

Your tenant domain, as provided by your account team

Note: This field should contain a domain only, do not include URL information such as https://.

"CODENAME.bloodhoundenterprise.io" "demo.bloodhoundenterprise.io"
RestPort Integer TCP port which BloodHound Enterprise API runs on. 443 443
SSL Boolean Is the API SSL enabled True True
LogLevel String

Logging verbosity level for the service itself. These logs appear in service.log within the configured TempDirectory location.

The following levels are supported from most to least verbose (most typically used options are underlined):

  • Trace
  • Debug
  • Information
  • Warning
  • Error
  • Critical
  • None
"Information" "Trace"
EnumerationLogLevel String

Logging verbosity level used during collection jobs. 

The following levels are supported from most to least verbose (most typically used options are underlined):

  • Trace
  • Debug
  • Information
  • Warning
  • Error
  • Critical
  • None
"Information" "Trace"
TempDirectory String

Directory in which logs and temporary files are stored. Upon service start, if this value is null, the service will default to the %APPDATA%\Roaming\BloodHound Enterprise\ directory belonging to the service user.

Logs are retained for 14 days.

Note: Backslashes (\) must be escaped for proper JSON formatting.

null "D:\\SharpHound\\logs"
Proxy String HTTP Proxy URL if needed. null "proxy.acme.com:8080"
ComputerPasswordResetWindow Integer

When performing local collections, any computer objects that have not rotated their password with the domain in this many days will be excluded. By default, computers in Active Directory rotated their passwords every 30 days.

Mininum value: 7

This Windows setting specifies how often the computer will rotate its password: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age

It is possible to prevent a Windows computer from rotating its password completely with this setting: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes

60 365
CurrentTask Integer

SharpHound utilizes this field to track the currently running task. It will be null when no task is running.

null  
ForceLDAPkerberosAuth Boolean

Force the use of Kerberos authentication when querying LDAP servers. Disabling this may be required to collect across an External trust type (see Cross-Trust Collection here).

Setting this value to False means that SharpHound will auto-negotiate authentication to domain controllers, preferring Kerberos if available.

True True
LDAPSSLPort Integer

TCP port utilized for collection on LDAP over SSL.

Requires SharpHound Enterprise v2.2.1+

636 636
ForceLDAPSSL Boolean

Force the use of LDAP over SSL.

Setting this value to False means that SharpHound will attempt LDAP over SSL first, before falling back to signed and sealed LDAP.

Requires SharpHound Enterprise v2.2.1+

False False
PortCheckTimeout Integer

The duration, in milliseconds, SharpHound will wait for a response on port 445/TCP before considering the system unavailable.

Minimum value: 200

Requires SharpHound Enterprise v2.2.1+

500 500
NumWorkers Integer

The number of concurrent threads performing data enrichment and privileged collection.

Minimum value: 10

Maximum value: 100

Requires SharpHound Enterprise v2.2.1+

50 50


auth.json

auth.json is a plaintext JSON file that defines the credentials the service will utilize to authenticate to the BloodHound Enterprise API. Creating a new client or rotating the credentials of an existing one will provide you with the complete JSON structure utilized for a SharpHound Enterprise client.

Updated