Wednesday, March 27, 2019

Active Directory SID lookup.

Some notes on how to figure out what a specific AD SID value belongs to.

I was asked why a specific SID was showing up in an applications Security Alert logs.

That logging system tells the user that it is probably a 'Brute Force' attack from:
CORP\S-1-5-21-436374069-117609710-839522115-6608

I used GetADUser to filter for that SID... Nothing.

I opened up my search, and looked at all AD objects, but the SID value was not apparent.
Here is where I ended up:

$SID_Value = "S-1-5-21-436374069-117609710-839522115-6608"
Get-ADObject -Filter "objectSid -eq '$SID_Value'"

Saw that it WAS a Computer object - So, more details as follows:

Get-ADComputer ((Get-ADObject -Filter "objectSid -eq '$SID_Value'").Name)