Listen to this Post
Introduction
Active Directory (AD) security is critical for enterprise environments, yet lingering Security Identifiers (SIDs) from deleted objects can introduce hidden risks. Rémi Gascou’s new tool, FindOldSIDTraces, helps blue teams and AD administrators identify orphaned SIDs in LDAP objects, reducing potential attack surfaces. This article explores how to use the tool, key commands, and best practices for securing AD environments.
Learning Objectives
- Understand how orphaned SIDs create security risks in Active Directory.
- Learn how to deploy and use FindOldSIDTraces for LDAP hygiene checks.
- Apply remediation techniques to clean up lingering SID references.
1. Installing FindOldSIDTraces
Command:
git clone https://github.com/TheManticoreProject/FindOldSIDTraces.git cd FindOldSIDTraces pip install -r requirements.txt
Step-by-Step Guide:
1. Clone the repository from GitHub.
2. Navigate into the project directory.
3. Install dependencies using `pip`.
- Run the tool with `python FindOldSIDTraces.py -h` to view help options.
2. Scanning for Orphaned SIDs
Command:
python FindOldSIDTraces.py -d example.com -u admin -p 'P@ssw0rd!' -dc DC01
Step-by-Step Guide:
1. Replace `example.com` with your AD domain.
- Provide valid admin credentials (
-ufor username, `-p` for password).
3. Specify a domain controller (`-dc`).
- The tool scans LDAP objects and outputs orphaned SIDs.
3. Analyzing Results
Command (PowerShell):
Get-Content .\orphaned_sids.txt | ForEach-Object { Get-ADObject -Filter "objectSid -eq '$_'" }
Step-by-Step Guide:
1. Export results to a file (e.g., `orphaned_sids.txt`).
- Use PowerShell to verify if any SIDs still resolve to objects.
3. Investigate false positives before remediation.
4. Remediating Orphaned SIDs
Command (PowerShell – Remove SID from ACL):
$acl = Get-Acl "AD:\CN=TestGroup,OU=Groups,DC=example,DC=com" $acl.PurgeAccessRules($orphanedSID) Set-Acl -Path "AD:\CN=TestGroup,OU=Groups,DC=example,DC=com" -AclObject $acl
Step-by-Step Guide:
- Retrieve the ACL of the affected AD object.
2. Use `PurgeAccessRules` to remove orphaned SID entries.
3. Apply the updated ACL.
5. Automating Regular Scans
Command (Scheduled Task in Windows):
Register-ScheduledTask -TaskName "OrphanedSIDScan" -Trigger (New-ScheduledTaskTrigger -Weekly) -Action (New-ScheduledTaskAction -Execute "python" -Argument "C:\FindOldSIDTraces\FindOldSIDTraces.py -d example.com -u scanner -p 'S3cureP@ss'")
Step-by-Step Guide:
1. Create a dedicated service account for scanning.
2. Schedule weekly scans using PowerShell.
3. Log results for audit purposes.
What Undercode Say
Key Takeaways:
- Orphaned SIDs are a hidden threat—attackers can exploit lingering permissions for privilege escalation.
- Proactive hygiene is critical—regular scans with tools like FindOldSIDTraces reduce AD vulnerabilities.
Analysis:
Active Directory remains a prime target for attackers, and misconfigured SIDs often go unnoticed. By integrating FindOldSIDTraces into routine audits, organizations can minimize stale permissions and harden their environments. Future improvements may include automated remediation and integration with SIEMs for real-time alerts.
Prediction:
As AD attacks evolve, tools like FindOldSIDTraces will become essential for maintaining least-privilege hygiene. Expect more AI-driven AD auditing solutions to emerge, automating threat detection and response.
For more details, visit the GitHub repository.
IT/Security Reporter URL:
Reported By: Remigascou Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
