furmelade
commented
5 years ago I did some further testing, here are my results:
Running SharpHound with the aforementioned parameters gives following output:
_Debug: Creating SecurityIdentifier from
When running SharpHound with the --Verbose parameter instead of --Debug, i can see following output: _Unable to contact domain <DomainFQDN
I have found several references to that String in https://github.com/BloodHoundAD/SharpHound/blob/master/Sharphound2/Utils.cs which looks like that SharpHound cannot contact the remote domain to request that specific user information, thus not including it into the .json.
I have encounted following issue: Having a user from a foreign Domain (doesnt matter if same/foreign Forest) in a security group, SharpHound does not collect that user and write it into the .json file, thus not showing up in the database.
To be precise, my case looks like this: I have Forest A with domain1.com and subdomain sub.domain1.com And Forest B with domain2.com. Theres a 2-way trust configured between both Forests. User john from domain2.com is member of the Administrators group in sub.domain1.com.
SharpHound does not collect any informations about user john being in the Administrators group. Running Sharphound with --debug -c Group --LdapFilter "(distinguishedname=CN=Administrators,CN=Builtin,DC=sub,DC=domain1,DC=com)" shows that SharpHound is actually fetching the informations ("Creating SecurityIdentifier from SID" and next resolving the foreign domain), but does not write it into the .json.
According to BlueCookieMonster from Slack, ForeignSecurityPrincipal collection is only working if its done in a user context from the parent domain.