ExtraSIDs

ABOUT

ExtraSIDs is a technique where a forged Kerberos ticket (Golden Ticket) includes additional SIDs, typically from a more privileged domain like the parent domain in a forest, allowing an attacker who compromised a child domain to impersonate membership in high-privilege groups such as Enterprise Admins and gain unauthorized access across domain boundaries, bypassing normal group membership checks if SID filtering is not enforced.

Prerequisites

LINUX

Bruteforce SID

impacket-lookupsid riotech.local/rio@13.13.13.13 | grep "Enterprise Admins"

WINDOWS

Get Group SID

C:\> Get-ADGroup -Identity "Enterprise Admins" -Server "MILITECH.LOCAL"

PowerView

Get Group SID

PS C:\> Get-DomainGroup -Domain RIOTECH.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

RESOURCES

SID-History attribute - Win32 appsMicrosoftLearn

PreviousTrust Abuse NextADCS

Last updated 5 months ago

hashtagABOUT

hashtagPrerequisites

hashtagLINUX

hashtagBruteforce SID

hashtagWINDOWS

hashtagGet Group SID

hashtagPowerView

hashtagGet Group SID

hashtagRESOURCES

ABOUT

Prerequisites

LINUX

Bruteforce SID

WINDOWS

Get Group SID

PowerView

Get Group SID

RESOURCES