SharpHound

Overview

The SharpHound integration connects the Praetorian Guard Platform (PGP) with Active Directory attack path data collected by SharpHound, the official data collector for BloodHound. By uploading SharpHound export files into PGP, security teams can analyze Active Directory relationships, identify attack paths, and discover privilege escalation opportunities within their internal environment.

Active Directory remains the backbone of identity and access management for most enterprises, and misconfigurations in AD often create exploitable attack paths that adversaries use for lateral movement and privilege escalation. SharpHound collects detailed information about AD objects -- users, computers, groups, domains, GPOs, OUs, and their relationships -- and PGP parses this data to build a comprehensive model of your AD security posture.

Unlike API-based integrations, the SharpHound integration is a file-based import. You collect data offline using SharpHound, upload the resulting ZIP archive to PGP, and PGP processes the BloodHound JSON files to extract AD objects and relationships. This approach supports air-gapped environments and does not require direct network connectivity between PGP and your Active Directory.

What the Integration Does

The SharpHound integration accepts BloodHound-format ZIP archives containing JSON files produced by SharpHound. PGP downloads the uploaded archive, extracts the JSON files, and streams each file through a parser that converts BloodHound data into PGP's internal AD object and relationship models.

The parsing process involves several stages:

  • JSON Streaming -- Each BloodHound JSON file is streamed and parsed to extract AD nodes (objects) and their relationships (ACEs, group memberships, GPO links, trust relationships, local group memberships, delegation permissions, and containment hierarchies).
  • Well-Known Entity Generation -- PGP generates well-known AD objects and relationships (such as built-in groups and default containers) based on discovered domains and their SIDs.
  • Relationship Processing -- Cached relationships are resolved against their source and target objects, producing finalized AD relationship models.
  • Object Cleaning -- Object identifiers are normalized, invalid objects are filtered out, and the final set of AD objects and relationships is emitted for storage in PGP.

    • The integration processes the following BloodHound data types: users, computers, groups, domains, GPOs, OUs, containers, and issuance policies. Each type is identified from the file metadata and processed accordingly.

    All imported data maps to PGP's internal attack surface. The uploaded SharpHound file is deleted after processing.

    Prerequisites

    Before setting up the SharpHound integration, ensure you have:

  • SharpHound collected data in BloodHound ZIP format (compatible with BloodHound CE / SharpHound v2)
  • Access to run SharpHound against your Active Directory environment (typically requires a domain-joined machine with a domain user account)
  • The resulting ZIP archive uploaded or accessible for import into PGP

    • Collecting Data with SharpHound

  • Download the latest SharpHound release from the [BloodHound GitHub repository](https://github.com/BloodHoundAD/SharpHound).
  • Run SharpHound on a domain-joined Windows machine with a domain user account:

    • ``

    SharpHound.exe --collectionmethods All

    `

  • SharpHound will produce a timestamped ZIP archive (e.g., 20240115120000_BloodHound.zip) containing JSON files for each AD object type.
  • Transfer the ZIP archive to a location where you can upload it to PGP.

    • Collection Methods

    SharpHound supports various collection methods. The All method provides the most comprehensive data, but you can use specific methods as needed:

    Collection MethodDescription
    AllCollects all available data (recommended for full analysis)
    DefaultCollects group membership, domain trusts, ACLs, and sessions
    DCOnlyCollects data only from domain controllers (no endpoint enumeration)
    SessionCollects user session data from computers
    ACLCollects ACL/ACE data for AD objects

    Setup

  • In PGP, navigate to the Integrations page.
  • Select SharpHound from the list of available integrations.
  • Upload your SharpHound ZIP archive using the file upload interface.
  • PGP will begin processing the file automatically. Processing time depends on the size of your AD environment.

    • Field Reference

    FieldDescriptionRequired
    SharpHound ZIP FileThe BloodHound-format ZIP archive produced by SharpHoundYes

    What Data Is Synced

    AD Objects (Assets)

    The integration imports Active Directory objects as internal assets within PGP.

    Object TypeSource FileDescription
    Users*_users.jsonDomain user accounts including properties like enabled status, SID, and group memberships
    Computers*_computers.jsonDomain-joined computers with OS information, enabled status, and service principal names
    Groups*_groups.jsonSecurity and distribution groups with their membership lists
    Domains*_domains.jsonAD domains with trust relationships, domain SID, and functional level
    GPOs*_gpos.jsonGroup Policy Objects with their properties and linked containers
    OUs*_ous.jsonOrganizational Units with their containment hierarchy
    Containers*_containers.jsonAD containers with their child objects

    AD Relationships (Risks)

    The integration imports relationships between AD objects, which represent potential attack paths.

    Relationship TypeDescription
    MemberOfGroup membership relationships
    AdminToLocal administrator privileges on computers
    HasSessionActive user sessions on computers
    GenericAllFull control permissions on AD objects
    GenericWriteWrite permissions on AD objects
    WriteDaclAbility to modify access control lists
    WriteOwnerAbility to change object ownership
    ForceChangePasswordAbility to reset another user's password
    AddMemberAbility to add members to a group
    GPLinkGroup Policy links to OUs and domains
    ContainsContainment hierarchy (OU contains objects)
    TrustedByDomain trust relationships
    AllowedToDelegateKerberos delegation permissions
    DCSyncReplication rights that enable DCSync attacks
    CanRDPRemote Desktop access permissions
    CanPSRemotePowerShell remoting access permissions
    ExecuteDCOMDCOM execution permissions

    Well-Known Entities

    PGP automatically generates well-known AD objects and relationships for each discovered domain, including built-in groups (Domain Admins, Enterprise Admins, etc.) and their standard relationships. This ensures that the AD model is complete even if SharpHound did not enumerate every built-in object.

    API Endpoints Used

    This integration does not use external API endpoints. It is a file-based import that processes BloodHound JSON data uploaded directly to PGP.

    OperationMethodDescription
    File UploadPGP UploadSharpHound ZIP archive is uploaded to PGP's secure file storage
    File ProcessingInternalPGP downloads the archive from internal storage, extracts JSON files, and processes them
    File CleanupInternalThe uploaded archive is deleted after successful processing

    Troubleshooting

    IssueCauseFix
    "Failed to read seed file"The uploaded file could not be downloaded from PGP's internal storageRe-upload the SharpHound ZIP archive and retry the import
    "Failed to parse sharphound files"The ZIP archive contains invalid or incompatible JSON filesEnsure the archive was produced by a supported version of SharpHound (BloodHound CE compatible). Verify the ZIP contains valid JSON files
    "Failed to download and extract ZIP files"The uploaded file is corrupted or not a valid ZIP archiveVerify the file is a valid ZIP by extracting it locally, then re-upload
    Processing takes several hoursVery large AD environments with hundreds of thousands of objectsThis is expected for large environments. The integration supports up to 6 hours of processing time
    Missing relationships or objectsSharpHound collection was limited to specific methods or encountered access errorsRe-run SharpHound with --collectionmethods All` and ensure the collecting user has adequate permissions
    "Missing domain property" or "missing domain SID property"Some AD objects have incomplete metadataThis typically indicates a partially corrupted collection. Re-run SharpHound to collect fresh data

    Security and Data Handling

    The SharpHound integration processes data from uploaded files rather than connecting to external APIs. The uploaded SharpHound ZIP archive is stored temporarily in PGP's encrypted file storage and is deleted after processing is complete.

    Active Directory data imported from SharpHound includes object metadata such as names, SIDs, group memberships, and permission relationships. PGP does not import or store user passwords, password hashes, Kerberos tickets, or any authentication secrets from the SharpHound data.

    Because this is a file-based import, no persistent credentials are stored for this integration. Each import is a one-time operation that processes the uploaded file and removes it upon completion. To update the AD data in PGP, collect new data with SharpHound and upload a fresh archive.