When performing cross-forest (inter-realm) attacks it is vital to first identify groups in the target forest that has RID higher than 1000. As far as I can tell RID does not exist as an attribute on group nodes today. Assuming that is correct, would it be possible to implement this attribute? Or is there perhaps another way to accomplish this already today?

Thanks!

Hi @jsdhasfedssad,

The RID is the last part of the SID, and the SID is the ObjectID in BloodHound:

You can list all the groups in a given domain with RID >= 1000 using this CYPHER query (replace DUMPSTER.FIRE with your domain name):
MATCH (g:Group) WHERE g.domain = "DUMPSTER.FIRE" AND NOT right(g.objectid,4) STARTS WITH "-5" AND NOT g.objectid STARTS WITH g.domain RETURN g

Hope that helps!