# Cross-Forest Attacks There are two main cross-forest configurations: * `External`: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering. External trusts are non-transitive, meaning that users from the trusted domain can access resources in the trusting domain, but users from any domain within the trusted forest cannot authenticate into any domain within the trusting forest by default. The extent of access is determined by the trust configuration and permissions set within each domain * `Forest`: A transitive trust between two forest root domains, meaning that any user residing in the trusted forest can authenticate to any domain residing in the trusting forest {% hint style="info" %} When dealing with one-way trusts it's easy to remember that **the direction of trust is opposite to the direction of access**. {% endhint %} Cross-forest attacks usually consist of the following techniques: * Cross forest Kerboasting * Cross forest ASREPRoasting * Credential re-use * [Foreign Group Membership](/red-teaming/notes/forest-trust-abuse/foreign-group-membership.md#cross-forest-configurations) and [Foreign ACL Principals](/red-teaming/notes/forest-trust-abuse/foreign-acl-principals.md#cross-forest-configurations) but there are also other techniques we can use if these low-hanging fruits don't yield any results. #### Unconstrained Delegation [Unconstrained Delegation](/red-teaming/notes/kerberos/unconstrained-delegation.md) can allow to get a foothold into another cross-forest domain with high-privileges. #### Trust Account Attack [This](/red-teaming/notes/forest-trust-abuse/cross-forest-attacks/trust-account-attack.md) technique abuses the automatic creation of a trust account whenever a one-way outbound trust is established between two domains allowing to move from the trusting domain to the trusted one. #### SID History Injection [SID History Injection](/red-teaming/notes/forest-trust-abuse/sid-history.md#sid-history-injection) (or SID Hijacking) refers an attack that consists in injecting the SID of a highly privileged group or user from the target domain into a low-privileged user account in the source domain. A useful technique to use alongside SID Hijacking is the [SID Filter Bypass](/red-teaming/notes/forest-trust-abuse/sid-filter-bypass.md). #### SQL Linked Servers [SQL Linked Severs](/red-teaming/notes/forest-trust-abuse/cross-forest-attacks/abusing-sql-linked-servers.md) servers facilitate communication and data exchange between SQL Server instances located in different Active Directory forests. This configuration allows SQL Server instances in one forest to access data and resources hosted by SQL Server instances in another forest. #### Foreign Group Membership and ACL Principals Just like in intra-forest configurations, we can abuse [Foreign Group Membership](/red-teaming/notes/forest-trust-abuse/foreign-group-membership.md) and [Foreign ACL Principals](/red-teaming/notes/forest-trust-abuse/foreign-acl-principals.md). #### PAM Trust Abuse With high-privilege access over the Bastion Forest of a PAM Trust, [this](/red-teaming/notes/forest-trust-abuse/cross-forest-attacks/abusing-pam-trusts.md) method allows to completely compromise all the User Forests managed by the trust. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/cross-forest-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.