Brilliant, That article and your notes shed a lot of light. As an aside, have a peak at https://adsecurity.org/?p=1772, I wasn't able to get the tool to work, however the article itself outlines the vulnerabilities that could potentially manifest so I suppose it doesn't hurt to make the report without logical restrictions so it covers all cases.
Thanks a lot! jlc ________________________________ From: [email protected] <[email protected]> on behalf of Brian Desmond <[email protected]> Sent: Monday, April 3, 2017 10:13 AM To: [email protected] Subject: [NTSysADM] RE: SID history report See my notes below. There is a lot of good content on SID History here - https://msdn.microsoft.com/en-us/library/ms677982(v=vs.85).aspx Thanks, Brian Desmond w - 312.625.1438[X] | c - 312.731.3132[X] From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Sunday, April 2, 2017 2:47 PM To: '[email protected]' <[email protected]> Subject: [NTSysADM] RE: SID history report Hi Brian, Forgive me, I don't exactly follow. A user in DomainB could have one of the following scenario's: 1. A sIDHistory entry for DomainA\GroupA. [Brian Desmond] Hypothetically, yes this is possible. I'd question how/why this happened though. 1. A sIDHistory entry for any user or group in DomainA or DomainB that is themselves implicitly or explicitly granted membership in DomainA\GroupA. [Brian Desmond] it's not possible for an object in Domain B to have a SID History entry with a SID also from Domain B. If that is correct, I imagine writing something that: 1. Collect all SIDs of all objects in DomainA\GroupA, including then expanding groups tail recursively. 2. Collect all groups recursively that are members of DomainA\GroupA. Then finding any user in DomainB who has: 1. A sIDHistory entry in the above collection. 2. Group membership in any of the above groups. This should find all scenarios of convoluted implicit membership? Or given the restrictions on sIDHistory values, does this overcomplicate it? Thanks, jlc From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Sunday, April 2, 2017 11:25 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: SID history report You really only need to grab this step: - Enumerate any users in DomainB whose sIDHistory collection contains one or more of any of the above cumulative SIDs. SIDHistory in DomainA has the SID of the group in DomainB. You need to find anyone who is a member of the group in DomainB. That will give them implicit access via SIDHistory. Everyone else just gets the access via normal group membership in the DomainA group. Thanks, Brian Desmond w - 312.625.1438[X] | c - 312.731.3132[X] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Thursday, March 30, 2017 5:05 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] SID history report Hey guys, I am trying to automate a report that a user has been instructed to reproduce on a continued basis. Given a group "GroupA" in DomainA, I need to enumerate all users who have access implicitly through sIDHistory. Off the top of my head, does this miss anything: - Enumerate all members of GroupA in DomainA recursively. - Explicit users. - Members implied through explicit group membership (recursively as well). - Enumerate any users in DomainA whose sIDHistory collection contains one or more of any of the above SIDs. - Enumerate any users in DomainB whose sIDHistory collection contains one or more of any of the above cumulative SIDs. Does that cover it? Thanks, jlc
