SharpHound Enterprise System Requirements and Deployment Process

This article applies to BHE

The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis.

SharpHound Enterprise is deployed as a signed Windows service, runs under the context of a domain account, and collects from one or more domains utilizing the configured service account.

 

Deployment Process Overview

To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis:

  1. Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below.
  2. Create a Service Account or gMSA that SharpHound will run as with the Service Account Requirements below.
  3. Install and Upgrade SharpHound Enterprise
  4. Create a BloodHound Enterprise collector client
  5. Run an On Demand Scan or Create a data collection schedule

Server Requirements

Hardware

  Minimum Recommended
Processor Cores 2 physical cores 4 physical cores
Memory 4GB RAM 16GB RAM
Hard disk space 1GB for logging 5GB for logging

 

Software

  • Windows Server 2019+
  • .NET 4.5.2+

Network

  • TLS on 443/TCP to your BloodHound Enterprise SaaS tenant URL (proxy is supported)
  • LDAP to at least one domain controller in each domain requiring collection.
    • By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
      • LDAP over SSL on 636/TCP (configurable port)
      • LDAP on 389/TCP (configurable port)
    • LDAP over SSL is enforceable.
    • LDAP channel signing is used for all queries.
  • [Optional] If performing privileged collection (see Why perform privileged collection in SharpHound)
    • SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems
    • Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system
  • [Optional] If performing DC Registry and DC Registry collection (see DC Registry and CA Registry details)
    • SMB/RPC on 445/TCP to all DCs and domain-joined CAs

Service Account Requirements

The SharpHound Enterprise service will run as a domain-joined account and will utilize the permissions of that account for enumeration purposes.

See SharpHound Data Collection and Permissions for comprehensive requirement information.

Updated