The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis.
SharpHound Enterprise is deployed as a signed Windows service, runs under the context of a domain account, and collects from one or more domains utilizing the configured service account.
Deployment Process Overview
To collect Active Directory data with SharpHound and ingest it into BloodHound for analysis:- Provision a Server that meets or exceeds the recommended Hardware, Software, and Network requirements below.
- Create a Service Account or gMSA that SharpHound will run as with the Service Account Requirements below.
- Install and Upgrade SharpHound Enterprise
- Create a BloodHound Enterprise collector client
- Run an On Demand Scan or Create a data collection schedule
Server Requirements
Hardware
| Resource | Minimum | Recommended | Large enterprise |
|---|---|---|---|
| Processor Cores | 2 physical cores | 4 physical cores | 6 physical cores |
| Memory | 4GB RAM | 16GB RAM | 32GB RAM |
| Hard disk space | 1GB for logging | 5GB for logging | 20GB for logging |
Software
- Windows Server 2019+
- .NET 4.7.2+
Network
- TLS on 443/TCP to your BloodHound Enterprise SaaS tenant URL (proxy is supported)
- LDAP to at least one domain controller in each domain requiring collection.
- By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
- LDAP over SSL on 636/TCP (configurable port)
- LDAP on 389/TCP (configurable port)
- LDAP over SSL is enforceable.
- LDAP channel signing is used for all queries.
- By default, SharpHound will attempt LDAP over SSL first, then fall back to LDAP if SSL is unavailable.
- [Optional] If performing privileged collection (see Why perform privileged collection in SharpHound)
- SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems
- SMB/RPC on 135/TCP to all in-scope domain-joined Windows systems for NTLM relay-based collection
- Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system
- [Optional] If performing DC Registry and CA Registry collection (see DC Registry and CA Registry details)
- SMB/RPC on 445/TCP to all DCs and domain-joined CAs
Service Account Requirements
Run the SharpHound Enterprise service under a domain-joined account that has the Log on as a service User Rights Assignment on the SharpHound Enterprise server. This account can be a traditional user account or a Group Managed Service Account (gMSA). The service account needs permissions to collect data from your target domains and systems, but it does not need to be a member ofDomain Admins.
For privileged collection, adding the account to local administrator groups on domain computers works. However, we recommend a least-privilege approach: grant only the permissions required for the specific data types you plan to collect.
| Data type | Default permissions | Least-privileged option |
|---|---|---|
| Active Directory Structure | Authenticated Users can read most required data via LDAP | Delegate additional read permissions where needed (for example, restricted AD objects and dMSA) |
| Local Group Membership | Local Administrators | Delegate Remote SAM access with Group Policy configuration |
| User Rights Assignments | Local Administrators | No known delegation path today |
| NTLM | Local Administrators | Delegate registry access with Group Policy or registry configuration |
| Sessions | Local Administrators | On Windows Server, Print Operators can be used; Windows desktops still require local Administrators |
| Certificate Services | Authenticated Users can collect most ADCS LDAP data | Already least-privileged by default for LDAP-collected certificate services data |
| CA Registry | Authenticated Users can collect CA registry data when AD CS is installed | No additional delegation is typically required |
| DC Registry | Local Administrators on domain controllers | Delegate access via Group Policy or registry configuration for required paths |
If Active Directory tombstoning is enabled, the service account must also have read permissions on the deleted objects container.