Performance degradation when SharpHound attempts to resolve unresolvable SIDs

[NexKosh]

When running SharpHound from a non-domain-joined Windows machine using supplied credentials, if target objects in the domain contain unresolvable SIDs (e.g., due to stale entries from broken two-way trusts), the tool repeatedly attempts to resolve them.

• Environment

1. SharpHound Version: 2.6.5
2. SharpHoundCommon Version: 4.2.6
3. Command : SharpHound -c DCOnly --ldapusername domainuser@ludus.domain --ldappassword ******** -d ludus.domain -v 1 --skipportcheck --disablecertverification --disablesigning --domaincontroller ludus.domain

• Conditions

1. The machine executing SharpHound is not joined to the domain
2. Some AD objects contain SIDs from a previously trusted domain (e.g., due to removed two-way trust)
3. unresolvable SID (from a previously trusted domain) was present on many AD objects.
4. Total object count is large (e.g., 500,000+ objects)

• Screenshot

1. non-domain-joined

2. domain-joined

• Observed Behavior

1. SharpHound attempts to resolve unknown or external SIDs via DirectoryContext using GetDomain(...)
2. Each failed resolution logs:
   System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest.

• Comparison Results

Scenario	Cache	Execution Time
Domain-joined host	❌ / ✅	13 mins
Non-domain host, same creds	✅	30 mins
Non-domain host, same creds	❌	90 mins

Is it possible to add unresolvable SID cache to avoid repeated requests or disable try get unresolvable SID?

[ktstrader]

Hi @NexKosh! Would you be able to provide steps to reproduce this issue for testing purposes?

[NexKosh]

Hi @ktstrader 👋

To accurately simulate SharpHound performance degradation caused by unresolved or stale ACL SIDs (typically from removed trusts or deleted users), I suggest the following setup:

✅ Recommended Procedure

1. Establish a Two-Way Trust Between Domains

   • Set up a two-ways trust between two domains (e.g., corp.local and lab.local).

2. Inject Cross-Domain ACL Entries

   • While the trust is still active, inject a large number of ACLs (~10,000 entries) into objects in lab.local.
   • Each ACL should grant rights (e.g., GenericAll) to SIDs from corp.local.
   • Use tools like BadBlood to populate the domain with users, groups, and computers. Then assign ACLs referencing foreign domain users either manually or through scripting.

3. Break the Trust Relationship

   • Remove the trust between corp.local and lab.local.
   • The injected ACLs will remain in lab.local, but their associated SIDs from corp.local will no longer resolve via LDAP, simulating real-world stale SID conditions.

4. Run SharpHound from an External Machine

   • From a machine not joined to lab.local, execute SharpHound against the lab.local domain using the DCOnly collection method.

   SharpHound.exe --CollectionMethod DCOnly --Domain lab.local --UserName sharphound --Password P@ssw0rd
   

---