Skip to content
/ FindOldSIDTraces Public

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory

themanticoreproject.com/
22 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TheManticoreProject/FindOldSIDTraces

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github
.github
 
 
search
search
 
 
sidchecks
sidchecks
 
 
sidmap
sidmap
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory.
Build and Release GitHub release (latest by date) Go Report Card YouTube Channel Subscribers

Features

  • Only requires a low privileges domain user account
  • Searches for old SIDs in nTSecurityDescriptor and msDS-AllowedToActOnBehalfOfOtherIdentity attributes
  • Validates SIDs against a comprehensive map of well-known SIDs and SIDs from the domain
  • Supports both LDAP and LDAPS connections

Demonstration

In order to find the old SIDs that might remain in the security descriptors and structures of the objects in the domain, you can use the following command:

./FindOldSIDTraces --dc-ip "<domain_controller_ip>" --domain "<domain>" --username "<username>" --password "<password>"

You will get the following output:

Usage

$ ./FindOldSIDTraces -h
FindOldSIDTraces - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: FindOldSIDTraces --domain <string> --username <string> [--password <string>] [--hashes <string>] [--quiet] [--debug] [--no-colors] [--attribute <string>] [--output-file <string>] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps]

  Authentication:
    -d, --domain <string>   Active Directory domain to authenticate to.
    -u, --username <string> User to authenticate as.
    -p, --password <string> Password to authenticate with. (default: "")
    -H, --hashes <string>   NT/LM hashes, format is LMhash:NThash. (default: "")

  Configuration:
    -q, --quiet                Show no information at all. (default: false)
    --debug                    Debug mode. (default: false)
    -nc, --no-colors           No colors mode. (default: false)
    -a, --attribute <string>   Output attribute. (default: "distinguishedName")
    -o, --output-file <string> Output file to write results to. (default: "")

  LDAP Connection Settings:
    -dc, --dc-ip <string>       IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
    -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

About

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory

themanticoreproject.com/

Topics

audit sid cleaning traces

Resources

Readme
Activity
Custom properties

Stars

22 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 1

v1.0.0: Public release Latest
Jun 16, 2025

Sponsor this project

Packages

No packages published

Languages