You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/install-data-collector/install-sharphound/system-requirements.mdx
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,6 +37,7 @@ To collect Active Directory data with SharpHound and ingest it into BloodHound f
37
37
*[LDAP channel signing](https://www.hub.trimarcsecurity.com/post/ldap-channel-binding-and-signing) is used for all queries.
38
38
*\[Optional\] If performing privileged collection (see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection))
39
39
* SMB/RPC on 445/TCP to all in-scope domain-joined Windows systems
40
+
* SMB/RPC on 135/TCP to all in-scope domain-joined Windows systems for NTLM relay-based collection
40
41
* Approximately 60-100kB network bandwidth per collection to each in-scope domain-joined Windows system
41
42
*\[Optional\] If performing DC Registry and CA Registry collection (see [DC Registry and CA Registry details](/collect-data/permissions))
42
43
* SMB/RPC on 445/TCP to all DCs and domain-joined CAs
@@ -49,6 +50,7 @@ The SharpHound Enterprise service will run as a domain-joined account and will u
49
50
* Granted "Log on as a service" User Rights Assignment on the SharpHound Enterprise server
50
51
*\[Optional\] If performing privileged collection (see [Why perform privileged collection in SharpHound](/collect-data/enterprise-collection/privileged-collection))
51
52
* Member of the local Administrators group on all in-scope domain-joined Windows systems
53
+
* SharpHound's privileged collection may also use RPC over 135/TCP to support NTLM relay-based collection. When enabling privileged/NTLM relay collection, ensure any firewall rules and endpoint protections allow RPC endpoint mapper traffic (135/TCP) as required.
52
54
*\[Optional\] If performing DC Registry and CA Registry collection (see [DC Registry and CA Registry details](/collect-data/permissions))
53
55
* Member of the local Administrators group on all domain controllers and domain-joined certificate authorities
54
56
*\[Optional\]: If Active Directory tombstoning is enabled
0 commit comments