ExtraSIDs

ABOUT

ExtraSIDs is a technique where a forged Kerberos ticket (Golden Ticket) includes additional SIDs, typically from a more privileged domain like the parent domain in a forest, allowing an attacker who compromised a child domain to impersonate membership in high-privilege groups such as Enterprise Admins and gain unauthorized access across domain boundaries, bypassing normal group membership checks if SID filtering is not enforced.

Prerequisites

LINUX

Bruteforce SID

impacket-lookupsid fia.militech.local/sreed@13.13.13.13 | grep "Enterprise Admins"

WINDOWS

Get Group SID

C:\> Get-ADGroup -Identity "Enterprise Admins" -Server "MILITECH.LOCAL"

PowerView

Get Group SID

PS C:\> Get-DomainGroup -Domain MILITECH.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

RESOURCES

SID-History attribute - Win32 appsdocsmsft