SpecterOps BloodHound Enterprise requires installation of the SharpHound Enterprise on-premises agent, a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is generally deployed on a single, domain-joined Windows system per domain, and runs as a domain user account.
The AzureHound Enterprise service collects and uploads data about your Azure environment to your BloodHound Enterprise instance for processing and analysis. AzureHound Enterprise is generally deployed on a single Windows system per Azure tenant, and may run on the same system as your SharpHound Enterprise service account.
SharpHound (on-premises Active Directory collection)
AzureHound (Azure collection)
Active Directory enumeration represents the most basic information required for BloodHound Enterprise. Additionally, SharpHound Enterprise enumerates local groups and sessions on all domain-joined Microsoft systems for ideal visibility.
Service Account Permissions
Service Network Access
Domain user account with rights to read Deleted Objects.
LDAP on 389/TCP to at least one domain controller
Local Groups and User Sessions (Privileged)
Local admin on workstations and servers
SMB on 445/TCPto all domain-joined systems
Directory Reader on Azure AD Tenant, Reader on all Azure Subscriptions, AppRoleAssignment.ReadWrite.All and RoleManagement.Read.All on Microsoft Graph
TLS on 443/TCP to your tenant