Cross-Forest Attacks
There are two main cross-forest configurations:
External
: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering. External trusts are non-transitive, meaning that users from the trusted domain can access resources in the trusting domain, but users from any domain within the trusted forest cannot authenticate into any domain within the trusting forest by default. The extent of access is determined by the trust configuration and permissions set within each domainForest
: A transitive trust between two forest root domains, meaning that any user residing in the trusted forest can authenticate to any domain residing in the trusting forest
When dealing with one-way trusts it's easy to remember that the direction of trust is opposite to the direction of access.
Cross-forest attacks usually consist of the following techniques:
Cross forest Kerboasting
Cross forest ASREPRoasting
Credential re-use
but there are also other techniques we can use if these low-hanging fruits don't yield any results.
Unconstrained Delegation
Unconstrained Delegation can allow to get a foothold into another cross-forest domain with high-privileges.
Trust Account Attack
This technique abuses the automatic creation of a trust account whenever a one-way outbound trust is established between two domains allowing to move from the trusting domain to the trusted one.
SID History Injection
SID History Injection (or SID Hijacking) refers an attack that consists in injecting the SID of a highly privileged group or user from the target domain into a low-privileged user account in the source domain.
A useful technique to use alongside SID Hijacking is the SID Filter Bypass.
SQL Linked Servers
SQL Linked Severs servers facilitate communication and data exchange between SQL Server instances located in different Active Directory forests. This configuration allows SQL Server instances in one forest to access data and resources hosted by SQL Server instances in another forest.
Foreign Group Membership and ACL Principals
Just like in intra-forest configurations, we can abuse Foreign Group Membership and Foreign ACL Principals.
PAM Trust Abuse
With high-privilege access over the Bastion Forest of a PAM Trust, this method allows to completely compromise all the User Forests managed by the trust.
Last updated