Cross-Forest Attacks
Last updated
Last updated
There are two main cross-forest configurations:
External
: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering. External trusts are non-transitive, meaning that users from the trusted domain can access resources in the trusting domain, but users from any domain within the trusted forest cannot authenticate into any domain within the trusting forest by default. The extent of access is determined by the trust configuration and permissions set within each domain
Forest
: A transitive trust between two forest root domains, meaning that any user residing in the trusted forest can authenticate to any domain residing in the trusting forest
Cross-forest attacks usually consist of the following techniques:
Cross forest Kerboasting
Cross forest ASREPRoasting
Credential re-use
and
but there are also other techniques we can use if these low-hanging fruits don't yield any results.
can allow to get a foothold into another cross-forest domain with high-privileges.
technique abuses the automatic creation of a trust account whenever a one-way outbound trust is established between two domains allowing to move from the trusting domain to the trusted one.
(or SID Hijacking) refers an attack that consists in injecting the SID of a highly privileged group or user from the target domain into a low-privileged user account in the source domain.
A useful technique to use alongside SID Hijacking is the .
servers facilitate communication and data exchange between SQL Server instances located in different Active Directory forests. This configuration allows SQL Server instances in one forest to access data and resources hosted by SQL Server instances in another forest.
Just like in intra-forest configurations, we can abuse and .
With high-privilege access over the Bastion Forest of a PAM Trust, method allows to completely compromise all the User Forests managed by the trust.