Skip to content

Security identifiers SIDs

Windows uses a SID to identify entities. A SID is a unique value assigned to each entity, or principal, that can be authenticated by Windows, such as users and groups. The SID for local accounts and groups is generated by the Local Security Authority (LSA), and for domain users and domain groups, it's generated on a Domain Controller (DC).  The SID cannot be changed and is generated when the user or group is created.

The SID string consists of different parts, delimited by "-", and represented by the placeholders "S", "R", "X", and "Y" in the following listing. This representation is the fundamental structure of a SID.

1
S-R-X-Y

Next, we can use lookupsid.py , an Impacket script used for querying a Windows system to obtain information about the SID associated with a given user or group.

The tool will give us back the SID for the domain and the RIDs for each user and group that could be used to create their SID in the format DOMAIN_SID-RID.

1
2
3
4
lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP 
# Example:
# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 
# Enter password: HTB_@cademy_stdnt_admin!

If we just want to get the Domain SID, we can filter it out:

1
2
3
4
lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP | grep "Domain SID"
# Example:
# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"
# Enter password: HTB_@cademy_stdnt_admin!

Results: S-1-5-21-2806153819-209893948-922872689

We will perform a SID enumeration on the target system and filter the results to find information related to the Enterprise Admins group in the Active Directory (AD) domain. For filtering we will use the RID of the Enterprise Admins group. Here is a handy list of well-known SIDs.

1
2
3
4
5
6
7
8
lookupsid.py $targetedDomain/$UserWithAdminPriv@$DomainControllerIP | grep "Enterprise Admins"
# Example:
# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep "Enterprise Admins"
# Enter password: HTB_@cademy_stdnt_admin!

# Way2:
lookupsid.py LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm@INLANEFREIGHT.LOCAL | grep "Enterprise Admins"
# Enter password: HTB_@cademy_stdnt_admin!

Result: 

1
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)

As the domain SID was: S-1-5-21-3842939050-3880317879-2865463114 and the RID is 519, the SID of "Enterprise Admin" group is S-1-5-21-3842939050-3880317879-2865463114-519 .

Enumerating GPO Names with PowerView

1
2
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

See more on Attacking Domain Trusts: ExtraSids Attack - Mimikatz

Last update: 2026-02-02
Created: February 2, 2026 21:10:28