Skip to main content

Documentation Index

Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise only

Purpose

This article describes how to run an unscheduled scan to perform a one-time, immediate data collection with a collector client. Administrators may use it during collector client deployment, one-time collections, or troubleshooting.

Prerequisites

The following prerequisites are required to run an on demand scan:
  • An existing SharpHound Enterprise collector client
  • Logged in as a user assigned a role authorized to run a collector client on demand scan

Process

The process to run an on demand scan consists of the following steps:
1

Open the Manage Clients page

In the left menu, click Administration > Manage Clients.
2

Choose a collector client

On the client that you want to schedule, click the icon in the Action column and select On Demand Scan.
Verify the client is online by validating Status is Ready
A collector client with the Action menu open and On Demand Scan selected
3

Configure the scan

Configure the following details in the On Demand Scan window:
  • Data: The type of data that the scan collects, see:
  • Advanced Options:
    A collector client On Demand Scan configuration window
    OptionDescription
    Data (Required)Multi-select option for the different types of collection available. See SharpHound Data Collection and Permissions for details on the data collected and permissions necessary for each.
    Domain controllerBy default, SharpHound automatically selects a Domain Controller for LDAP queries. Specifying a Domain Controller hostname or FQDN here will define the default value used for this scan or schedule.

    If not set, SharpHound will utilize the value set in the client configuration.

    We recommend not configuring a Domain Controller manually.
    Target Local Group and/or User Session Collection by Organizational UnitDefine one or more OUs within a domain to only collect Local Group and Session data from computers contained within the specified OUs and their descendants.

    If left empty, SharpHound will collect from all OUs.

    If defined, the schedule or On Demand Scan will not collect AD structure data. A dedicated schedule or On Demand Scan must therefore be created for AD structure collection.

    Note: Not supported with multi-domain collections.
    Scope Collection to Multiple DomainsUtilize trust relationships in your environment to collect data from multiple domains.

    If left empty, SharpHound will collect from the domain to which the Service Account belongs.

    SharpHound supports two options:

    * Define a specific list of domains from which to collect data.
    * Collect data from all domains within the forest that the SharpHound service account belongs.

    Note: Multi-domain collections cannot be scoped by OU.
4

Start the scan

Click Run to begin the on demand scan.

Outcome

The client starts the on demand scan after the next client check-in (usually within one minute). After it starts, the client status shows Running a Job:
A collector client summary showing Running a Job status
After the next schedule, see the job’s status on the Finished Jobs Log page.