ExtraSIDs
ABOUT
ExtraSIDs is a technique where a forged Kerberos ticket (Golden Ticket) includes additional SIDs, typically from a more privileged domain like the parent domain in a forest, allowing an attacker who compromised a child domain to impersonate membership in high-privilege groups such as Enterprise Admins and gain unauthorized access across domain boundaries, bypassing normal group membership checks if SID filtering is not enforced.
LINUX
Bruteforce SID
impacket-lookupsid fia.militech.local/sreed@13.13.13.13 | grep "Enterprise Admins"
WINDOWS
Get Group SID
C:\> Get-ADGroup -Identity "Enterprise Admins" -Server "MILITECH.LOCAL"
PowerView
Get Group SID
PS C:\> Get-DomainGroup -Domain MILITECH.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
RESOURCES
Last updated