There is another possible attack vector to populate the sidHistory. You can join a Samba 4 DC to the domain and then use ldbedit to write to the sidHistory attribute. This is not at all a technically complex attack, but rather a very simple one. A description of the attack can be found here: http://cosmoskey.blogspot.co.uk/2010/08/online-sidhistory-edit-sid-injection.html
↧
