1337skills.com

Appearance

SharpHound Cheat Sheet

Overview

SharpHound is the official data collector for BloodHound, designed to gather information from Active Directory environments. It collects various types of data including domain trusts, local admin rights, session information, group memberships, and ACLs to help identify attack paths and privilege escalation opportunities in Active Directory environments.

⚠️ Warning: Only use SharpHound in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws.

Installation

Pre-compiled Binaries

bash
# Download latest release from GitHub
wget https://github.com/BloodHoundAD/SharpHound/releases/latest/download/SharpHound.exe

# Download specific version
wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.1/SharpHound.exe

# Download PowerShell version
wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.ps1

Building from Source

bash
# Clone repository
git clone https://github.com/BloodHoundAD/SharpHound.git
cd SharpHound

# Build with .NET Framework
msbuild SharpHound.sln /p:Configuration=Release

# Build with .NET Core
dotnet build -c Release

# Output location
ls bin/Release/net*/SharpHound.exe

PowerShell Module Installation

powershell
# Import PowerShell module
Import-Module .\SharpHound.ps1

# Alternative: Download and execute in memory
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')

# Bypass execution policy if needed
powershell -ExecutionPolicy Bypass -File SharpHound.ps1

Basic Usage

Standard Collection

bash
# Basic collection (default: Default collection method)
SharpHound.exe

# Specify collection methods
SharpHound.exe -c All
SharpHound.exe -c Default,GPOLocalGroup
SharpHound.exe -c Session,LoggedOn,Trusts

# Collection with domain specification
SharpHound.exe -d example.com
SharpHound.exe -d example.com -c All

# Collection with specific domain controller
SharpHound.exe -d example.com -s dc01.example.com

PowerShell Usage

powershell
# Basic PowerShell collection
Invoke-BloodHound

# Collection with specific methods
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod Default,Session,Trusts

# Collection with domain specification
Invoke-BloodHound -Domain example.com
Invoke-BloodHound -Domain example.com -DomainController dc01.example.com

# Collection with credentials
$cred = Get-Credential
Invoke-BloodHound -Credential $cred -Domain example.com

Collection Methods

Available Collection Methods

bash
# Default - Standard collection (Group, LocalAdmin, Session, Trusts, ACL)
SharpHound.exe -c Default

# All - All collection methods
SharpHound.exe -c All

# Group - Group memberships
SharpHound.exe -c Group

# LocalAdmin - Local administrator rights
SharpHound.exe -c LocalAdmin

# RDP - Remote Desktop Protocol rights
SharpHound.exe -c RDP

# DCOM - Distributed COM rights
SharpHound.exe -c DCOM

# PSRemote - PowerShell remoting rights
SharpHound.exe -c PSRemote

# Session - User sessions
SharpHound.exe -c Session

# Trusts - Domain trusts
SharpHound.exe -c Trusts

# ACL - Access Control Lists
SharpHound.exe -c ACL

# Container - Container ACLs
SharpHound.exe -c Container

# GPOLocalGroup - Group Policy local groups
SharpHound.exe -c GPOLocalGroup

# LoggedOn - Logged on users
SharpHound.exe -c LoggedOn

# ObjectProps - Object properties
SharpHound.exe -c ObjectProps

# SPNTargets - Service Principal Name targets
SharpHound.exe -c SPNTargets

# CARegistry - Certificate Authority registry
SharpHound.exe -c CARegistry

Combined Collection Methods

bash
# Common combinations
SharpHound.exe -c Group,LocalAdmin,Session
SharpHound.exe -c Default,GPOLocalGroup,Container
SharpHound.exe -c All --ExcludeDCs

# Stealth collection (minimal noise)
SharpHound.exe -c Group,Trusts,ACL --Stealth

# Comprehensive collection
SharpHound.exe -c All --CollectAllProperties

Advanced Options

Authentication and Credentials

bash
# Use current user credentials
SharpHound.exe -d example.com

# Specify username and password
SharpHound.exe -d example.com -u username -p password

# Use domain\username format
SharpHound.exe -d example.com -u "EXAMPLE\username" -p password

# LDAP authentication
SharpHound.exe --LdapUsername username --LdapPassword password

# Kerberos authentication
SharpHound.exe --AuthType Kerberos

Output Options

bash
# Specify output directory
SharpHound.exe -d example.com --OutputDirectory C:\temp\

# Specify output filename prefix
SharpHound.exe -d example.com --OutputPrefix "audit_2024"

# Compress output (default)
SharpHound.exe -d example.com --ZipFileName audit.zip

# No compression
SharpHound.exe -d example.com --NoZip

# Pretty print JSON (larger files)
SharpHound.exe -d example.com --PrettyJson

# Randomize output filename
SharpHound.exe -d example.com --RandomFilenames

Performance and Stealth Options

bash
# Stealth mode (slower but less detectable)
SharpHound.exe -c All --Stealth

# Specify thread count
SharpHound.exe -c All --Threads 10

# LDAP timeout
SharpHound.exe -c All --LdapTimeout 120

# Skip port scanning
SharpHound.exe -c All --SkipPortScan

# Exclude domain controllers from certain collections
SharpHound.exe -c All --ExcludeDCs

# Throttle requests
SharpHound.exe -c All --Throttle 1000

# Jitter (randomize timing)
SharpHound.exe -c All --Jitter 20

Filtering Options

bash
# Exclude specific computers
SharpHound.exe -c All --ExcludeComputers "DC01,DC02"

# Computer filter
SharpHound.exe -c All --ComputerFile computers.txt

# Search forest
SharpHound.exe -c All --SearchForest

# Collect all properties
SharpHound.exe -c All --CollectAllProperties

# Skip registry collection
SharpHound.exe -c All --SkipRegistryLoggedOn

# Cache filename
SharpHound.exe -c All --CacheFilename cache.bin

# Invalidate cache
SharpHound.exe -c All --InvalidateCache

PowerShell Advanced Usage

Credential Management

powershell
# Create credential object
$username = "EXAMPLE\administrator"
$password = ConvertTo-SecureString "password123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($username, $password)

# Use credential with SharpHound
Invoke-BloodHound -Credential $cred -Domain example.com -CollectionMethod All

# Pass-the-hash (requires additional tools)
# Use with Invoke-Mimikatz or similar tools first

Loop Collection

powershell
# Continuous collection loop
while ($true) {
    $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
    Invoke-BloodHound -CollectionMethod Session,LoggedOn -OutputPrefix "sessions_$timestamp"
    Start-Sleep -Seconds 3600  # Wait 1 hour
}

# Scheduled collection
$trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM"
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\tools\collect.ps1"
Register-ScheduledTask -TaskName "BloodHound Collection" -Trigger $trigger -Action $action

Multi-Domain Collection

powershell
# Collect from multiple domains
$domains = @("domain1.com", "domain2.com", "domain3.com")

foreach ($domain in $domains) {
    Write-Host "Collecting from $domain"
    Invoke-BloodHound -Domain $domain -CollectionMethod All -OutputPrefix $domain.Replace(".", "_")
}

Collection Strategies

Stealth Collection

bash
# Minimal footprint collection
SharpHound.exe -c Group,Trusts,ACL --Stealth --Threads 1

# Avoid session collection (noisy)
SharpHound.exe -c Default --ExcludeMethod Session

# Use LDAP only
SharpHound.exe -c Group,ACL --LdapOnly

# Randomize timing
SharpHound.exe -c All --Jitter 50 --Throttle 2000

Comprehensive Collection

bash
# Full environment mapping
SharpHound.exe -c All --CollectAllProperties --SearchForest

# Include certificate authorities
SharpHound.exe -c All,CARegistry

# Include container ACLs
SharpHound.exe -c All,Container

# Include GPO local groups
SharpHound.exe -c All,GPOLocalGroup

Targeted Collection

bash
# Focus on specific computers
SharpHound.exe -c LocalAdmin,Session --ComputerFile targets.txt

# Focus on high-value targets
SharpHound.exe -c All --ComputerFilter "DC*,EXCH*,SQL*"

# Focus on specific OUs
SharpHound.exe -c All --OU "OU=Servers,DC=example,DC=com"

Output Analysis

Understanding Output Files

bash
# Default output files
# computers.json - Computer objects and properties
# users.json - User objects and properties  
# groups.json - Group objects and memberships
# domains.json - Domain information and trusts
# gpos.json - Group Policy Objects
# ous.json - Organizational Units
# containers.json - Container objects

# Compressed output
# BloodHound_YYYYMMDD_HHMMSS.zip - All JSON files compressed

File Structure Analysis

bash
# Extract and examine files
unzip BloodHound_20240101_120000.zip

# Count objects collected
jq '.data | length' computers.json
jq '.data | length' users.json
jq '.data | length' groups.json

# Examine specific data
jq '.data[0]' computers.json  # First computer object
jq '.data[] | select(.Properties.name | contains("ADMIN"))' users.json  # Admin users

Import into BloodHound

bash
# Start BloodHound application
# File > Import Data > Select ZIP file

# Or use neo4j-admin import (for large datasets)
neo4j-admin import --database=bloodhound --nodes=computers.json --nodes=users.json --relationships=relationships.json

Automation Scripts

Batch Collection Script

powershell
#!/usr/bin/env powershell
# SharpHound Automation Script

param(
    [string]$Domain = $env:USERDNSDOMAIN,
    [string]$OutputDir = "C:\temp\bloodhound",
    [string]$CollectionMethod = "All",
    [switch]$Stealth,
    [int]$Threads = 10
)

# Create output directory
if (!(Test-Path $OutputDir)) {
    New-Item -ItemType Directory -Path $OutputDir -Force
}

# Set collection parameters
$params = @{
    Domain = $Domain
    CollectionMethod = $CollectionMethod
    OutputDirectory = $OutputDir
    OutputPrefix = "$(Get-Date -Format 'yyyyMMdd_HHmmss')"
    Threads = $Threads
}

if ($Stealth) {
    $params.Add("Stealth", $true)
    $params.Threads = 1
}

try {
    Write-Host "[+] Starting SharpHound collection for domain: $Domain"
    Write-Host "[+] Collection method: $CollectionMethod"
    Write-Host "[+] Output directory: $OutputDir"
    
    # Import SharpHound module
    Import-Module .\SharpHound.ps1 -Force
    
    # Run collection
    Invoke-BloodHound @params
    
    Write-Host "[+] Collection completed successfully"
    
    # List output files
    Get-ChildItem $OutputDir -Filter "*.zip" | Sort-Object LastWriteTime -Descending | Select-Object -First 5
    
} catch {
    Write-Error "[-] Collection failed: $($_.Exception.Message)"
    exit 1
}

Multi-Domain Collection Script

bash
#!/bin/bash
# Multi-domain SharpHound collection

DOMAINS=("domain1.com" "domain2.com" "domain3.com")
OUTPUT_DIR="/tmp/bloodhound_collection"
SHARPHOUND_PATH="./SharpHound.exe"

# Create output directory
mkdir -p "$OUTPUT_DIR"

for domain in "${DOMAINS[@]}"; do
    echo "[+] Collecting from domain: $domain"
    
    # Create domain-specific directory
    domain_dir="$OUTPUT_DIR/${domain//./_}"
    mkdir -p "$domain_dir"
    
    # Run SharpHound
    wine "$SHARPHOUND_PATH" \
        -d "$domain" \
        -c All \
        --OutputDirectory "$domain_dir" \
        --OutputPrefix "${domain//./_}_$(date +%Y%m%d_%H%M%S)" \
        --Stealth \
        --Threads 5
    
    if [ $? -eq 0 ]; then
        echo "[+] Collection completed for $domain"
    else
        echo "[-] Collection failed for $domain"
    fi
    
    # Wait between collections
    sleep 60
done

echo "[+] All collections completed"
ls -la "$OUTPUT_DIR"/*/*.zip

Continuous Monitoring Script

powershell
# Continuous session monitoring
param(
    [int]$IntervalMinutes = 60,
    [string]$OutputDir = "C:\temp\sessions"
)

while ($true) {
    try {
        $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
        $outputPrefix = "sessions_$timestamp"
        
        Write-Host "[$(Get-Date)] Starting session collection..."
        
        Invoke-BloodHound -CollectionMethod Session,LoggedOn -OutputDirectory $OutputDir -OutputPrefix $outputPrefix
        
        Write-Host "[$(Get-Date)] Session collection completed"
        
        # Clean up old files (keep last 24 hours)
        $cutoffTime = (Get-Date).AddHours(-24)
        Get-ChildItem $OutputDir -Filter "sessions_*.zip" | Where-Object { $_.LastWriteTime -lt $cutoffTime } | Remove-Item -Force
        
    } catch {
        Write-Error "[$(Get-Date)] Collection failed: $($_.Exception.Message)"
    }
    
    Start-Sleep -Seconds ($IntervalMinutes * 60)
}

Integration Examples

SIEM Integration

powershell
# Export to SIEM-friendly format
function Export-BloodHoundToSIEM {
    param(
        [string]$BloodHoundZip,
        [string]$OutputFile
    )
    
    # Extract ZIP
    $tempDir = New-TemporaryFile | ForEach-Object { Remove-Item $_; New-Item -ItemType Directory -Path $_ }
    Expand-Archive -Path $BloodHoundZip -DestinationPath $tempDir
    
    # Process each JSON file
    $siemData = @()
    
    Get-ChildItem $tempDir -Filter "*.json" | ForEach-Object {
        $data = Get-Content $_.FullName | ConvertFrom-Json
        
        foreach ($item in $data.data) {
            $siemData += [PSCustomObject]@{
                Timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
                Source = "BloodHound"
                Type = $_.BaseName
                ObjectName = $item.Properties.name
                Domain = $item.Properties.domain
                Data = ($item | ConvertTo-Json -Compress)
            }
        }
    }
    
    # Export to CSV for SIEM ingestion
    $siemData | Export-Csv -Path $OutputFile -NoTypeInformation
    
    # Cleanup
    Remove-Item $tempDir -Recurse -Force
}

# Usage
Export-BloodHoundToSIEM -BloodHoundZip "collection.zip" -OutputFile "bloodhound_siem.csv"

Automated Analysis

python
#!/usr/bin/env python3
import json
import zipfile
import os
from datetime import datetime

class BloodHoundAnalyzer:
    def __init__(self, zip_path):
        self.zip_path = zip_path
        self.data = {}
        self.extract_data()
    
    def extract_data(self):
        """Extract and load BloodHound data"""
        with zipfile.ZipFile(self.zip_path, 'r') as zip_ref:
            for file_name in zip_ref.namelist():
                if file_name.endswith('.json'):
                    with zip_ref.open(file_name) as json_file:
                        data_type = file_name.replace('.json', '')
                        self.data[data_type] = json.load(json_file)
    
    def analyze_admin_rights(self):
        """Analyze local admin rights"""
        admin_rights = []
        
        if 'computers' in self.data:
            for computer in self.data['computers']['data']:
                if 'LocalAdmins' in computer:
                    for admin in computer['LocalAdmins']:
                        admin_rights.append({
                            'computer': computer['Properties']['name'],
                            'admin': admin['ObjectIdentifier'],
                            'type': admin['ObjectType']
                        })
        
        return admin_rights
    
    def find_high_value_targets(self):
        """Identify high-value targets"""
        hvt = []
        
        if 'users' in self.data:
            for user in self.data['users']['data']:
                if user['Properties'].get('highvalue', False):
                    hvt.append({
                        'name': user['Properties']['name'],
                        'domain': user['Properties']['domain'],
                        'enabled': user['Properties'].get('enabled', False)
                    })
        
        return hvt
    
    def analyze_domain_trusts(self):
        """Analyze domain trusts"""
        trusts = []
        
        if 'domains' in self.data:
            for domain in self.data['domains']['data']:
                if 'Trusts' in domain:
                    for trust in domain['Trusts']:
                        trusts.append({
                            'source': domain['Properties']['name'],
                            'target': trust['TargetDomainName'],
                            'direction': trust['TrustDirection'],
                            'type': trust['TrustType']
                        })
        
        return trusts
    
    def generate_report(self):
        """Generate analysis report"""
        report = {
            'timestamp': datetime.now().isoformat(),
            'source_file': self.zip_path,
            'admin_rights': self.analyze_admin_rights(),
            'high_value_targets': self.find_high_value_targets(),
            'domain_trusts': self.analyze_domain_trusts(),
            'statistics': {
                'total_computers': len(self.data.get('computers', {}).get('data', [])),
                'total_users': len(self.data.get('users', {}).get('data', [])),
                'total_groups': len(self.data.get('groups', {}).get('data', []))
            }
        }
        
        return report

# Usage
if __name__ == "__main__":
    import sys
    
    if len(sys.argv) != 2:
        print("Usage: python3 analyze_bloodhound.py <bloodhound_zip>")
        sys.exit(1)
    
    analyzer = BloodHoundAnalyzer(sys.argv[1])
    report = analyzer.generate_report()
    
    # Save report
    with open('bloodhound_analysis.json', 'w') as f:
        json.dump(report, f, indent=2)
    
    print(f"[+] Analysis complete. Report saved to bloodhound_analysis.json")
    print(f"[+] Found {len(report['admin_rights'])} admin relationships")
    print(f"[+] Found {len(report['high_value_targets'])} high-value targets")
    print(f"[+] Found {len(report['domain_trusts'])} domain trusts")

Troubleshooting

Common Issues

Authentication Problems

bash
# Test LDAP connectivity
ldapsearch -H ldap://dc01.example.com -D "username@example.com" -W -b "DC=example,DC=com" "(objectClass=user)"

# Verify Kerberos tickets
klist

# Clear Kerberos cache
kdestroy

# Test with different authentication methods
SharpHound.exe -d example.com --AuthType Negotiate
SharpHound.exe -d example.com --AuthType Ntlm
SharpHound.exe -d example.com --AuthType Kerberos

Permission Issues

bash
# Check current user permissions
whoami /groups
whoami /priv

# Test with different user context
runas /user:DOMAIN\username SharpHound.exe

# Verify domain controller accessibility
nslookup example.com
telnet dc01.example.com 389
telnet dc01.example.com 636

Collection Failures

bash
# Enable verbose logging
SharpHound.exe -c All --Verbose

# Check for specific errors
SharpHound.exe -c All --Debug

# Test individual collection methods
SharpHound.exe -c Group --Verbose
SharpHound.exe -c LocalAdmin --Verbose
SharpHound.exe -c Session --Verbose

# Reduce thread count
SharpHound.exe -c All --Threads 1

# Increase timeouts
SharpHound.exe -c All --LdapTimeout 300 --Timeout 300

Network Issues

bash
# Test network connectivity
ping dc01.example.com
nmap -p 389,636,3268,3269 dc01.example.com

# Check firewall rules
netsh advfirewall firewall show rule name=all | findstr LDAP

# Test with different ports
SharpHound.exe -d example.com --LdapPort 389
SharpHound.exe -d example.com --LdapPort 636 --SecureLdap

Performance Optimization

bash
# Optimize for large environments
SharpHound.exe -c All --Threads 20 --Throttle 0

# Use caching for repeated collections
SharpHound.exe -c All --CacheFilename cache.bin
SharpHound.exe -c Session --CacheFilename cache.bin  # Reuse cache

# Skip expensive operations
SharpHound.exe -c All --SkipPortScan --ExcludeDCs

# Use stealth mode for sensitive environments
SharpHound.exe -c All --Stealth --Jitter 30

Memory and Storage Issues

bash
# Monitor memory usage
Get-Process SharpHound | Select-Object ProcessName, WorkingSet, VirtualMemorySize

# Use compression
SharpHound.exe -c All --CompressData

# Split large collections
SharpHound.exe -c Group,ACL --OutputPrefix "part1"
SharpHound.exe -c Session,LocalAdmin --OutputPrefix "part2"

# Clean up temporary files
Remove-Item $env:TEMP\SharpHound* -Force

Resources

This cheat sheet provides a comprehensive reference for using SharpHound for Active Directory data collection. Always ensure you have proper authorization before using this tool in any environment.