FindOldSIDTraces

FindOldSIDTraces

11 Stars

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory

TheManticoreProject
Active-directory
Jun 18, 2025
11 stars
View on GitHub
Share on:
X LinkedIn Facebook WhatsApp Telegram Reddit Email
Category
Active-directory
GitHub Stars
11
Project Added On
Jun 18, 2025
Contributors
1

README.md

View on GitHub

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory.
Build and Release GitHub release (latest by date) Go Report Card YouTube Channel Subscribers

Features

  • [x] Only requires a low privileges domain user account
  • [x] Searches for old SIDs in nTSecurityDescriptor and msDS-AllowedToActOnBehalfOfOtherIdentity attributes
  • [x] Validates SIDs against a comprehensive map of well-known SIDs and SIDs from the domain
  • [x] Supports both LDAP and LDAPS connections

Demonstration

In order to find the old SIDs that might remain in the security descriptors and structures of the objects in the domain, you can use the following command:

./FindOldSIDTraces --dc-ip "<domain_controller_ip>" --domain "<domain>" --username "<username>" --password "<password>"

You will get the following output:

Usage

$ ./FindOldSIDTraces -h
FindOldSIDTraces - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: FindOldSIDTraces --domain <string> --username <string> [--password <string>] [--hashes <string>] [--quiet] [--debug] [--no-colors] [--attribute <string>] [--output-file <string>] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps]

  Authentication:
    -d, --domain <string>   Active Directory domain to authenticate to.
    -u, --username <string> User to authenticate as.
    -p, --password <string> Password to authenticate with. (default: "")
    -H, --hashes <string>   NT/LM hashes, format is LMhash:NThash. (default: "")

  Configuration:
    -q, --quiet                Show no information at all. (default: false)
    --debug                    Debug mode. (default: false)
    -nc, --no-colors           No colors mode. (default: false)
    -a, --attribute <string>   Output attribute. (default: "distinguishedName")
    -o, --output-file <string> Output file to write results to. (default: "")

  LDAP Connection Settings:
    -dc, --dc-ip <string>       IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
    -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

Tool Information

Author

TheManticoreProject

Project Added On

June 18, 2025

License

Open Source

Tags

audit cleaning sid traces
View on GitHub

Related Tools

PsMapExec

PsMapExec

Dominate Active Directory with PowerShell.

Stable
RustHound-CE

RustHound-CE

Active Directory data ingestor for BloodHound Community Edition written in Rust. 🦀

Stable
Invoke-ADEnum

Invoke-ADEnum

Active Directory Auditing and Enumeration

Stable
View more Active-directory tools