The local configuration of SharpHound Enterprise occurs within two files: settings.json and auth.json, their file paths can be found in the table below. Note that %AppData% is the directory of the service account: “C:\Users\SERVICE_ACCOUNT$\AppData\Roaming”.

SharpHound FileDefault Path (v2.5.8+)
Default Path (\v2.5.8)
Configuration File%AppData%\AppData\Roaming\BloodHoundEnterprise\settings.jsonC:\Program Files (x86)\SHService\settings.json
Authentication File%AppData%\AppData\Roaming\BloodHoundEnterprise\auth.jsonC:\Program Files (x86)\SHService\auth.json
Active Logs%AppData%\BloodHoundEnterprise\*.log%AppData%\Roaming\BloodHound Enterprise\*.log
Archived Logs%AppData%\Roaming\BloodHoundEnterprise\log_archive\*.zip%AppData%\Roaming\BloodHound Enterprise\log_archive\*.zip

Modifying SharpHound Settings

To modify any settings below on your SharpHound configuration, you must stop the SharpHound service. The process to modify SharpHound’s settings files is as follows:

  1. Stop the SharpHound Enterprise service: “SharpHound Delegator”
  2. Edit and save the desired settings file. You may need to open the file as a local Administrator to save it.
  3. Start the SharpHound Enterprise service: “SharpHound Delegator”

Settings Files

settings.json

Plaintext JSON file that defines information about how the service behaves, such as settings for connecting to the BloodHound Enterprise tenant, connecting to Active Directory, and writing logs.

An example of the file:

{
"RestEndpoint": "CODENAME.bloodhoundenterprise.io",
"RestPort": 443,
"SSL": true,
"CurrentJob": null,
"LogLevel": "Information",
"EnumerationLogLevel": "Information",
"TempDirectory": "C:\\\Users\\\gmsa_SHS$\\\AppData\\\Roaming\\\BloodHoundEnterprise",
"Proxy": null,
"ComputerPasswordResetWindow": 60,
"ForceLDAPKerberosAuth": true,
"PortCheckTimeout": 10000,
"LDAPSSLPort": 636,
"LDAPPort": 389,
"ForceLDAPSSL": false,
"NumWorkers": 50,
"PartitionLDAPQueries": true,
"Version": "2.5.9.0"
}

The following table outlines supported fields and their default values:

FieldTypeDescriptionDefault valueExample value
RestEndpointStringYour tenant domain, as provided by your account team

This field should contain a domain only; do not include URI information such as “https://"		"CODENAME.bloodhoundenterprise.io""demo.bloodhoundenterprise.io”
RestPortIntegerTCP port which BloodHound Enterprise API runs on.443443
SSLBooleanIs the API SSL enabledTrueTrue
CurrentJobArraySharpHound utilizes this field to track the currently running task. It will be null when no task is running.Do not modify this value.Do not modify this value.
LogLevelStringLogging verbosity level for the service itself. These logs appear in service.log within the configured TempDirectory location.

The following levels are supported from most to least verbose (most typically used options are underlined):

* Trace
* Debug
* Information
* Warning
* Error
* Critical
* None		”Information""Trace”
EnumerationLogLevelStringLogging verbosity level used during collection jobs. 

The following levels are supported from most to least verbose (most typically used options are underlined):

* Trace
* Debug
* Information
* Warning
* Error
* Critical
* None		”Information""Trace”
TempDirectoryStringDirectory in which logs and temporary files are stored. Upon service start, if this value is null, the service will default to the “%APPDATA%\Roaming\BloodHound Enterprise\” directory belonging to the service user.

Logs are retained for 14 days.

Backslashes (\) must be escaped for proper JSON formatting, i.e. double backslashes are required.		null”C:\\Users\**SERVICE_USER$**\\ AppData\\Roaming\\BloodHound Enterprise\“
ProxyStringHTTP Proxy URL if needed.null”proxy.acme.com:8080”
ComputerPasswordResetWindowIntegerWhen performing local collections, any computer objects that have not rotated their password with the domain in this many days will be excluded. By default, computers in Active Directory rotated their passwords every 30 days.

Minimum value: 7

This Windows setting specifies how often the computer will rotate its password: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age

It is possible to prevent a Windows computer from rotating its password completely with this setting: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes		60365
ForceLDAPKerberosAuthBooleanEnforce the use of Kerberos authentication when querying LDAP servers. Disabling this may be required to collect across an External trust type (see Cross-Trust Collection here).

Setting this value to False means that SharpHound will auto-negotiate authentication to domain controllers, preferring Kerberos if available.		FalseTrue
PortCheckTimeoutIntegerIn milliseconds, SharpHound will wait for a response on port 445/TCP before considering the system unavailable.

Minimum value: 200

Requires SharpHound Enterprise v2.2.1+		1000015000
LDAPSSLPortIntegerTCP port utilized for collection on LDAP over SSL.

Requires SharpHound Enterprise v2.2.1+		636636
LDAPPortIntegerTCP port utilized for collection on LDAP.389389
ForceLDAPSSLBooleanForce the use of LDAP over SSL.

Setting this value to False means that SharpHound will attempt LDAP over SSL first, before falling back to signed and sealed LDAP.

Requires SharpHound Enterprise v2.2.1+		FalseFalse
NumWorkersIntegerThe number of concurrent threads performing privileged collection.

Minimum value: 10

Maximum value: 100

Requires SharpHound Enterprise v2.2.1+		5050
PartitionLDAPQueriesBooleanWhether SharpHound should split LDAP queries into multiple parts, used when querying very large domains.TrueTrue
VersionStringThe current version of SharpHound Enterprise.Do not modify this value.Do not modify this value.

auth.json

auth.json is a plaintext JSON file that defines the credentials the service will utilize to authenticate to the BloodHound Enterprise API. Creating a new client or rotating the credentials of an existing one will provide you with the complete JSON structure used for a SharpHound Enterprise client.

An example of the file:

{
"Token": "w4Tc+heVmaMTWgodlw0YlztaEGG53J/mwogiEZLvKE6WtylfYuoVEA==",
"TokenID": "0c6120ee-2fbe-478f-a864-2e264f9c16d2"
}

The following table outlines supported fields and their default values:

FieldTypeDescriptionDefault valueExample value
TokenStringUsed by SharpHound Enterprise to authenticate with the the BloodHound Enterprise tenant.null”w4Tc+heVmaMTWgodlw0YlztaEGG53J/mwogiEZLvKE6WtylfYuoVEA==“
TokenIDStringUnique identifier for the token.null”0c6120ee-2fbe-478f-a864-2e264f9c16d2”
Create a gMSA for use with SharpHound EnterpriseModify the service account used by SharpHound Enterprise