Install and Upgrade SharpHound Enterprise

This article applies to BHE

Purpose

This article outlines how to:

BHE users may use it during SharpHound Enterprise deployment or upgrades.

Prerequisites

Process

Install SharpHound Enterprise

  1. Log into your BloodHound Enterprise tenant.
  2. Click on the gear icon in the top right corner, followed by Download Collectors.
    mceclip0.png

  3. Click 📥 Download SharpHound v#.#.# (.zip) on the SharpHound version marked "(Latest)".


  4. Connect to the server on which the SharpHound Enterprise service should be installed.
  5. Validate that your SharpHound service account is a member of the local Administrators group.
  6. Extract the zip archive.
  7. Run SHSetup-v#.#.#.exe as an Administrator.
  8. SmartScreen may display a warning if you are running Microsoft Defender:
    • Click More info.
      mceclip3.png
    • Validate the publisher shows Specter Ops, Inc. then click Run anyway.
      mceclip4.png

  9. Choose where to install the service and click Next. We recommend a path protected from low-privileged user writes such as the default "C:\Program Files (x86)\SHService".
    mceclip5.png

  10. Click Install.
    mceclip6.png

  11. Provide credentials for your SharpHound service account in the format: DOMAIN\username
  12. Click Finish.


  13. The "SharpHoundDelegator" service has now been installed. If you don't see the service, see the headline: I don't see the SHDelegator Service


  14. If using a gMSA, according to our Hardening Guidelines, change the service to run as the gMSA as described in Add the gMSA to the SharpHound Enterprise service.
  15. Start the service once; the startup will fail but trigger the creation of the configuration and log directory in the service account's user directory: "%AppData%\BloodHoundEnterprise"
  16. Change the files "settings.json" and "auth.json" in the configuration described in SharpHound Enterprise Local Configuration. In most cases, only the following needs to change:
    • In "settings.json"
      • Set "RestEndpoint" to the BloodHound Enterprise domain name in the format: "CODENAME.bloodhoundenterprise.io". This is the domain that the service connects to.
      • If using a proxy, set "Proxy" to the proxy name and port in the format: "proxy.acme.com:8080"
    • Create a BloodHound Enterprise collector client, and then in "auth.json" set "Token" and "TokenID" to the values given after you created the client. This is the secret that the service authenticates with.
  17. Start the service. If service start fails see the headline: The SharpHound Delegator Service won't start
  18. Return to BloodHound Enterprise, and you should see the client reporting "🟢 Ready"
  19. Perform your scan by either:
    1. Create a data collection schedule
    2. Run an On Demand Scan

Upgrade SharpHound Enterprise

  1. Log into your BloodHound Enterprise tenant.
  2. Click on the gear icon in the top right corner, followed by Download Collectors
    mceclip0.png

  3. Click 📥 Download SharpHound v#.#.# (.zip) on the SharpHound version marked "(Latest)".


  4. Connect to the SharpHound Enterprise server.
  5. Extract the zip archive.
  6. Run SHSetup-v#.#.#.exe as an Administrator.
  7. Click Finish.


  8. SharpHound Enterprise has now been upgraded.
  9. Start the "SharpHound Delegator" service. If you can't start the service, see the headline: The SharpHound Delegator Service won't start

Common installation issues

I don't see the SHDelegator Service

Most frequently, this is the result of one of two issues:

  1. The service account was not added as a local Administrator before installation.
  2. The password was entered into the credential window incorrectly.

The installation log may be of help in troubleshooting and can be found in the file "InstallUtil.Install.Log" in the installation directory; the default path is "C:\Program Files (x86)\SHService\InstallUtil.Install.Log".


The SharpHound Delegator Service won't start

Check the "TempDirectory" value in the configuration file "settings.json" described in SharpHound Enterprise Local Configuration.

If "TempDirectory" is null, the service account has not been granted local Administrator privileges. Add the service account to the local Administrators group and restart the service.

If "TempDirectory" is set to a directory, navigate to that directory, look for service.log, and review the message for errors. Common issues include:

  • RestEndpoint cannot be resolved
    • Validate that you properly configured the RestEndpoint value to match the domain name BloodHound Enterprise tenant in the format: "CODENAME.bloodhoundenterprise.io"
    • Validate that you can resolve the domain from the host using the command prompt.
  • RestEndpoint cannot be reached (timeout, connection rejected, etc)
    • Validate that firewall exclusions to your BloodHound Enterprise tenant have been created appropriately
    • If you need an explicit proxy, configure it within settings.json
    • Validate TLS 1.2 connectivity to your BloodHound Enterprise tenant over port 443

Updated