Notifications
Clear all
Topic starter 16/08/2025 8:40 pm
SharpHound is the official data collector for BloodHound, a tool used to analyze and visualize relationships in Active Directory (AD) environments. SharpHound is essential for gathering the raw data that BloodHound uses to map out potential attack paths.
🧠 What Is SharpHound?
- A C#-based tool developed by SpecterOps.
- Collects data from domain controllers and domain-joined Windows systems.
- Uses Windows APIs and LDAP queries to enumerate users, groups, permissions, sessions, trusts, and more.
🛠️ How SharpHound Works
- Run SharpHound.exe on a domain-joined machine.
- It automatically detects your domain and starts collecting data using default methods.
- Outputs the results as JSON files, which are zipped and imported into BloodHound for analysis.
🔍 What It Collects
- Security group memberships
- Domain trusts
- Group Policy links
- Local admin group members
- Active user sessions
- Abusable rights on AD objects
- OU tree structure
- SQL admin links
- And more depending on the collection method used.
⚙️ Common Collection Methods
| Method | Description |
|---|---|
Default |
Collects standard AD data (groups, sessions, trusts, etc.) |
DCOnly |
Minimal footprint; targets only domain controllers |
Session |
Tracks user logins across machines |
ACL |
Gathers access control lists on AD objects |
Trusts |
Maps domain trust relationships |
ObjectProps |
Collects properties of AD objects |
Stealth |
Reduces network impact by limiting queries |
🧪 Example Usage
SharpHound.exe -c All
SharpHound.exe -c Session --loop
SharpHound.exe --stealth
These commands collect all data, monitor sessions continuously, or run in stealth mode respectively.
🔐 Ethical Use Only
SharpHound should only be used in environments where you have explicit permission. It’s a powerful tool for:
- Red team operations
- Security audits
- Incident response
- AD hardening
