If you’ve spent any time exploring Active Directory (AD) security or penetration testing, you’ve probably come across SharpHound. It’s one of the most widely used tools for mapping relationships within a Windows domain—but how does it actually work behind the scenes?
This article breaks it down in a clear, practical way. Whether you’re a cybersecurity student, red teamer, or defender trying to understand attack paths, you’ll walk away with a solid understanding of how SharpHound operates and why it matters.
What Is SharpHound?
SharpHound is a data collection tool used with BloodHound, a popular Active Directory analysis platform. While BloodHound visualizes relationships and attack paths, SharpHound is responsible for gathering the raw data from the environment.
Think of it like this:
- SharpHound = data collector
- BloodHound = data analyzer and visualizer
SharpHound is written in C# and is designed to efficiently query Active Directory environments to uncover relationships between users, computers, groups, and permissions.
Why SharpHound Is Important
Before diving into how it works, it’s important to understand why it exists.
In complex enterprise environments, permissions and relationships can become extremely messy over time. Misconfigurations can unintentionally give low-privileged users paths to high-level access.
SharpHound helps uncover:
- Privilege escalation paths
- Misconfigured permissions
- Trust relationships
- Lateral movement opportunities
This makes it valuable for both:
- Attackers (red teams): to identify paths to domain admin
- Defenders (blue teams): to fix security weaknesses
How SharpHound Works: The Big Picture
At a high level, SharpHound works in three main steps:
Data Collection
SharpHound queries Active Directory and local systems to gather information.
Data Structuring
It organizes the collected data into JSON files.
Data Export
The output is imported into BloodHound for analysis.
Now let’s break each of these down in detail.
Step 1: Data Collection
This is where SharpHound does most of its heavy lifting.
SharpHound uses a combination of techniques to gather data:
LDAP Queries
The primary method SharpHound uses is LDAP (Lightweight Directory Access Protocol).
It queries domain controllers to extract information such as:
- Users
- Groups
- Computers
- Organizational Units (OUs)
- Group memberships
These queries are efficient and relatively stealthy compared to other techniques.
Windows API Calls
SharpHound also leverages Windows APIs to gather local system information, including:
- Local administrator groups
- Logged-on users
- Session information
This helps identify where users are currently active—critical for lateral movement analysis.
SMB and Remote Queries
To gather session and local admin data from remote machines, SharpHound uses SMB (Server Message Block).
This allows it to:
- Check which users have admin rights on systems
- Identify active sessions across machines
Registry and Service Data
SharpHound can also collect:
- Service account configurations
- Registry-based permissions
These often reveal hidden privilege escalation paths.
Step 2: Types of Data SharpHound Collects
SharpHound doesn’t just grab random information—it collects specific datasets that are useful for mapping attack paths.
Here are the most important ones:
Group Memberships
It identifies:
- Which users belong to which groups
- Nested group relationships
This is crucial because group memberships often grant elevated privileges.
Local Admin Rights
SharpHound determines:
- Which users have administrative rights on which machines
This is key for lateral movement—if you’re admin on one machine, you may pivot to others.
User Sessions
It identifies:
- Who is logged into which machines
Why this matters:
If a high-privilege user is logged into a system you control, you may be able to escalate privileges.
Access Control Lists (ACLs)
One of SharpHound’s most powerful features is collecting ACL data.
It reveals:
- Who can modify users or groups
- Who can reset passwords
- Who can add members to privileged groups
These permissions often create indirect paths to domain admin access.
Trust Relationships
In multi-domain environments, SharpHound maps:
- Domain trusts
- Cross-domain permissions
This helps identify attack paths that span multiple domains.
Object Properties
SharpHound gathers metadata about AD objects, including:
- Account status
- SPNs (Service Principal Names)
- Delegation settings
These properties can reveal advanced attack opportunities like Kerberoasting or delegation abuse.
Step 3: Data Structuring and Output
After collecting all this information, SharpHound organizes it into structured JSON files.
These files typically include:
- Users.json
- Groups.json
- Computers.json
- Sessions.json
- ACLs.json
Each file represents a specific dataset, making it easier for BloodHound to process.
Step 4: Importing into BloodHound
Once SharpHound completes data collection, the output is imported into BloodHound.
BloodHound then:
- Builds a graph database
- Maps relationships between objects
- Identifies shortest paths to high-value targets
This is where the magic happens—complex AD environments become visual and easy to analyze.
How SharpHound Finds Attack Paths
SharpHound itself doesn’t calculate attack paths—that’s BloodHound’s job.
However, SharpHound enables this by collecting relationship data such as:
- “User A is a member of Group B”
- “Group B has admin rights on Computer C”
- “Computer C has a session from User D”
When combined, these relationships form chains that can lead to privilege escalation.
Example path:
- Low-privileged user
- Member of a group
- Group has local admin access
- Machine has a domain admin session
Result: Full domain compromise
Collection Methods and Modes
SharpHound supports different collection methods depending on your needs.
Common Collection Types
- Default: Balanced collection of common data
- All: Collects everything (more thorough, more noise)
- Session: Focuses on active user sessions
- ACL: Focuses on permissions
Stealth vs. Speed
SharpHound can be tuned for:
- Stealth: Slower, fewer queries, less detection risk
- Speed: Faster, more aggressive scanning
This flexibility makes it useful in both offensive and defensive scenarios.
Performance Optimization
SharpHound is designed to be efficient, even in large environments.
It achieves this through:
- Multi-threading
- Query batching
- Caching results
- Limiting redundant requests
This ensures minimal impact on domain controllers while still collecting comprehensive data.
Detection and Security Considerations
While SharpHound is powerful, it is not invisible.
Potential Detection Methods
- Unusual LDAP query patterns
- SMB enumeration activity
- High-volume network requests
- Endpoint detection tools (EDR)
Organizations can monitor for these behaviors to detect unauthorized use.
Defensive Use of SharpHound
SharpHound isn’t just for attackers—it’s also widely used by defenders.
Security teams use it to:
- Audit Active Directory environments
- Identify privilege escalation risks
- Fix misconfigurations before attackers exploit them
Real-World Example
Let’s say a company has:
- A helpdesk group
- That group can reset passwords for another group
- That second group has admin rights on servers
Individually, these permissions may seem harmless.
But SharpHound reveals:
Helpdesk → Password Reset → Admin Group → Server Access
That’s a full escalation path.
Without a tool like SharpHound, this chain might go unnoticed.
Advantages of SharpHound
- Fast and efficient data collection
- Works in large enterprise environments
- Provides deep visibility into AD relationships
- Supports multiple collection strategies
- Integrates seamlessly with BloodHound
Limitations of SharpHound
- Requires domain access
- Can be detected if not used carefully
- Does not analyze data on its own (requires BloodHound)
- May miss real-time changes after collection
Best Practices for Using SharpHound
If you’re using SharpHound in a legitimate environment:
For Red Teamers
- Use stealth collection modes
- Avoid peak business hours
- Limit scope when possible
For Blue Teamers
- Run regular audits
- Analyze privilege escalation paths
- Remediate risky permissions
SEO Summary: Key Takeaways
If you’re searching for “How does SharpHound work,” here’s the simplified answer:
- SharpHound collects Active Directory data using LDAP, SMB, and Windows APIs
- It gathers information about users, groups, permissions, and sessions
- The data is exported as JSON files
- BloodHound uses that data to map attack paths and privilege escalation routes
Conclusion
SharpHound is a powerful tool that shines a light on one of the most complex parts of enterprise IT: Active Directory relationships.
By systematically collecting and organizing data, it exposes hidden connections that could otherwise remain buried for years.
Whether you’re defending a network or testing its security, understanding how SharpHound works is essential. It’s not just a tool—it’s a lens that reveals how access and control really flow inside an organization.