Skip to main content
Applies to BloodHound Enterprise only

Purpose

This article explains how to perform ad-hoc data collection for BloodHound Enterprise (BHE) using the SharpHound Community Edition (CE) collector. Use SharpHound CE when you cannot deploy SharpHound Enterprise. Examples include:
  • Environments with no internet access (such as SCADA or OT environments)
  • Merger and acquisition scenarios to assess risk before integration or consolidation of IT infrastructure
  • Quick deployment scenarios to do an initial assessment before a full SharpHound Enterprise deployment
SharpHound CE may require allow-listing in endpoint protection solutions, as it is unsigned and will likely be flagged as malicious.
SharpHound CE uses the same collection library as SharpHound Enterprise and therefore collects the same data. However, CE does not integrate with the SaaS portal, so it cannot provide portal status monitoring or configurable scheduled automatic collection and upload.

Prerequisites

The following prerequisites are required to perform ad-hoc data collection with SharpHound CE:
  • Logged in as a user with the Administrator, Power User, or Upload-only role
  • Access to an account and computer in the in-scope domain or a domain trusted by the in-scope domain

Process

The ad-hoc data collection process consists of two main steps: performing the data collection with SharpHound CE and uploading the collected data to BloodHound Enterprise.

Perform SharpHound CE data collection

This section outlines how to use SharpHound CE to collect data from the target environment.
1

Download SharpHound CE

Get the latest version of SharpHound CE using one of the following methods:
You can also compile SharpHound CE from the source code.
2

Extract SharpHound CE

Extract the contents of the downloaded ZIP archive to a working directory on the system where you plan to collect data.
3

Collect data

  1. Choose a collection method that meets your requirements.
  2. Open a PowerShell or Command Prompt window.
  3. Navigate to the directory where you extracted SharpHound CE.
  4. Start collection with the chosen method. For example, to perform a DCOnly collection: 
    C:\> SharpHound.exe --CollectionMethods DCOnly
4

Locate collected data

After the collection completes, locate the output .zip file in the same directory where you ran SharpHound CE. The file name is in the format SharpHound-<timestamp>.zip.

Upload data to BloodHound Enterprise

This section outlines how to upload the collected data to BloodHound Enterprise for analysis.
1

Open the File Ingest page

In the left menu, click Administration > File Ingest.
2

Upload collected data

  1. Click Upload File(s).
    File Ingest screen showing the Upload File(s) button
  2. Click the modal or drag and drop the output .zip file onto it and click Upload.
    File Ingest screen showing the upload modal
After the upload completes, you can verify the status on the File Ingest page.

Analyze Data and Use BloodHound Enterprise Features

  • Dashboard and Visualization: Review key insights and summaries.
  • Running Queries: Explore specific security aspects and visualize attack paths.
  • Posture Reporting: Visualize and track exposure within your Enterprise

Best Practices for Secure Environments

  • Minimize Data Collection Scope: Focus on necessary data to limit exposure.
  • Secure Data Handling: Ensure secure storage and handling of collected data.
  • Regular Updates and Maintenance: Keep SharpHound CE updated.

Outcome

After ingest and analysis is complete, BloodHound Enterprise presents a comprehensive report with actionable recommendations on the Attack Paths page.