The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis.
SharpHound Enterprise is deployed as a signed Windows service, runs under the context of a domain account, and collects from one or more domains utilizing the configured service account.
Deployment Process Overview
To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis:
- Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below.
- Create a Service Account or gMSA that SharpHound will run as with the permissions below.
- Install SharpHound: Install and Upgrade SharpHound Enterprise
- Create a client within BHE: Create a BloodHound Enterprise collector client
- Run an on-demand scan and schedule ongoing collection: SharpHound Enterprise Tenant Configuration
Server Requirements
Hardware
Minimum | Recommended | |
Processor Cores | 2 physical cores | 4 physical cores |
Memory | 4GB RAM | 16GB RAM |
Hard disk space | 1GB for logging | 5GB for logging |
Software
- Windows Server 2019+
- .NET 4.5.2+
Network
- TLS on 443/TCP to your tenant URL (provided by your account team)
- LDAP to at least one domain controller in each domain requiring collection. SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
- LDAP over SSL on 636/TCP
- LDAP on 389/TCP
- Note: SharpHound uses LDAP channel signing for all queries
- [OPTIONAL - see Why perform privileged collection in SharpHound] SMB/RPC on 445/TCP to all domain-joined computers
Service Account Requirements
The SharpHound Enterprise service will run as a domain-joined account and will utilize the permissions of that account for enumeration purposes.
- Authenticated User within any domains requiring collection
- Local Administrator on the SharpHound Enterprise server
- Read privileges to the Deleted Objects container (if tombstoning is enabled - instructions here)
- [OPTIONAL - see DC Registry and CA Registry details] Member of Administrators group on DCs and CAs (only necessary if PKI infrastructure is in use)
- [OPTIONAL - see Why perform privileged collection in SharpHound] Member of Administrators group on all domain-joined systems
See SharpHound Data Collection and Permissions for full permission information and an explanation of requirements.
Updated