https://github.com/themanticoreproject/findoldsidtraces

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory
https://github.com/themanticoreproject/findoldsidtraces

audit cleaning sid traces

Last synced: 3 months ago
JSON representation

A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory

• Host: GitHub
• URL: https://github.com/themanticoreproject/findoldsidtraces
• Owner: TheManticoreProject
• Created: 2025-06-10T12:21:53.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-06-29T13:59:01.000Z (3 months ago)
• Last Synced: 2025-06-29T14:37:46.477Z (3 months ago)
• Topics: audit, cleaning, sid, traces
• Language: Go
• Homepage: https://themanticoreproject.com/
• Size: 739 KB
• Stars: 16
• Watchers: 0
• Forks: 2
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

          
![](./.github/banner.png)



    A cross-platform tool to find traces of old SIDs remaining in LDAP objects of the Active Directory.

    


    

    

     

    

    

    




## Features

 - [x] Only requires a **low privileges domain user account**

 - [x] Searches for old SIDs in `nTSecurityDescriptor` and `msDS-AllowedToActOnBehalfOfOtherIdentity` attributes

 - [x] Validates SIDs against a comprehensive map of well-known SIDs and SIDs from the domain

 - [x] Supports both LDAP and LDAPS connections

## Demonstration

In order to find the old SIDs that might remain in the security descriptors and structures of the objects in the domain, you can use the following command:

```bash

./FindOldSIDTraces --dc-ip "" --domain "" --username "" --password "" 

```

You will get the following output:

![](./.github/example.png)

## Usage

```              

$ ./FindOldSIDTraces -h

FindOldSIDTraces - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.0.0

Usage: FindOldSIDTraces --domain  --username  [--password ] [--hashes ] [--quiet] [--debug] [--no-colors] [--attribute ] [--output-file ] --dc-ip  [--ldap-port ] [--use-ldaps]

  Authentication:

    -d, --domain    Active Directory domain to authenticate to.

    -u, --username  User to authenticate as.

    -p, --password  Password to authenticate with. (default: "")

    -H, --hashes    NT/LM hashes, format is LMhash:NThash. (default: "")

  Configuration:

    -q, --quiet                Show no information at all. (default: false)

    --debug                    Debug mode. (default: false)

    -nc, --no-colors           No colors mode. (default: false)

    -a, --attribute    Output attribute. (default: "distinguishedName")

    -o, --output-file  Output file to write results to. (default: "")

  LDAP Connection Settings:

    -dc, --dc-ip        IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.

    -lp, --ldap-port  Port number to connect to LDAP server. (default: 389)

    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)

```

## Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

## Credits

  - [Remi GASCOU (Podalirius)](https://github.com/p0dalirius) for the creation of the [FindOldSIDTraces](https://github.com/TheManticoreProject/FindOldSIDTraces).