SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard
verified publisher icon BloodHoundAD

Performance degradation when SharpHound attempts to resolve unresolvable SIDs

Open NexKosh opened this issue 11 months ago • 2 comments

When running SharpHound from a non-domain-joined Windows machine using supplied credentials, if target objects in the domain contain unresolvable SIDs (e.g., due to stale entries from broken two-way trusts), the tool repeatedly attempts to resolve them.

  • Environment
  1. SharpHound Version: 2.6.5
  2. SharpHoundCommon Version: 4.2.6
  3. Command : SharpHound -c DCOnly --ldapusername [email protected] --ldappassword ******** -d ludus.domain -v 1 --skipportcheck --disablecertverification --disablesigning --domaincontroller ludus.domain
  • Conditions
  1. The machine executing SharpHound is not joined to the domain
  2. Some AD objects contain SIDs from a previously trusted domain (e.g., due to removed two-way trust)
  3. unresolvable SID (from a previously trusted domain) was present on many AD objects.
  4. Total object count is large (e.g., 500,000+ objects)
  • Screenshot

  1. non-domain-joined Image

  2. domain-joined Image

  • Observed Behavior
  1. SharpHound attempts to resolve unknown or external SIDs via DirectoryContext using GetDomain(...)
  2. Each failed resolution logs: System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest.
  • Comparison Results
Scenario Cache Execution Time
Domain-joined host ❌ / ✅ 13 mins
Non-domain host, same creds 30 mins
Non-domain host, same creds 90 mins

Is it possible to add unresolvable SID cache to avoid repeated requests or disable try get unresolvable SID?

NexKosh avatar May 04 '25 06:05 NexKosh

Hi @NexKosh! Would you be able to provide steps to reproduce this issue for testing purposes?

ktstrader avatar Jun 27 '25 19:06 ktstrader

Hi @ktstrader 👋

To accurately simulate SharpHound performance degradation caused by unresolved or stale ACL SIDs (typically from removed trusts or deleted users), I suggest the following setup:

✅ Recommended Procedure

  1. Establish a Two-Way Trust Between Domains

    • Set up a two-ways trust between two domains (e.g., corp.local and lab.local).

  2. Inject Cross-Domain ACL Entries

    • While the trust is still active, inject a large number of ACLs (~10,000 entries) into objects in lab.local.
    • Each ACL should grant rights (e.g., GenericAll) to SIDs from corp.local.
    • Use tools like BadBlood to populate the domain with users, groups, and computers. Then assign ACLs referencing foreign domain users either manually or through scripting.

  3. Break the Trust Relationship

    • Remove the trust between corp.local and lab.local.
    • The injected ACLs will remain in lab.local, but their associated SIDs from corp.local will no longer resolve via LDAP, simulating real-world stale SID conditions.

  4. Run SharpHound from an External Machine

    • From a machine not joined to lab.local, execute SharpHound against the lab.local domain using the DCOnly collection method.
    SharpHound.exe --CollectionMethod DCOnly --Domain lab.local --UserName sharphound --Password P@ssw0rd

NexKosh avatar Jun 28 '25 05:06 NexKosh