Cross-Forest Attacks

There are two main cross-forest configurations:

• External: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering. External trusts are non-transitive, meaning that users from the trusted domain can access resources in the trusting domain, but users from any domain within the trusted forest cannot authenticate into any domain within the trusting forest by default. The extent of access is determined by the trust configuration and permissions set within each domain

• Forest: A transitive trust between two forest root domains, meaning that any user residing in the trusted forest can authenticate to any domain residing in the trusting forest

When dealing with one-way trusts it's easy to remember that the direction of trust is opposite to the direction of access.

Cross-forest attacks usually consist of the following techniques:

• Cross forest Kerboasting

• Cross forest ASREPRoasting

• Credential re-use

• Foreign Group Membership and Foreign ACL Principals

but there are also other techniques we can use if these low-hanging fruits don't yield any results.

Unconstrained Delegation

Unconstrained Delegation can allow to get a foothold into another cross-forest domain with high-privileges.

Trust Account Attack

This technique abuses the automatic creation of a trust account whenever a one-way outbound trust is established between two domains allowing to move from the trusting domain to the trusted one.

SID History Injection

SID History Injection (or SID Hijacking) refers an attack that consists in injecting the SID of a highly privileged group or user from the target domain into a low-privileged user account in the source domain.

A useful technique to use alongside SID Hijacking is the SID Filter Bypass.

SQL Linked Servers

SQL Linked Severs servers facilitate communication and data exchange between SQL Server instances located in different Active Directory forests. This configuration allows SQL Server instances in one forest to access data and resources hosted by SQL Server instances in another forest.

Foreign Group Membership and ACL Principals

Just like in intra-forest configurations, we can abuse Foreign Group Membership and Foreign ACL Principals.

PAM Trust Abuse

With high-privilege access over the Bastion Forest of a PAM Trust, this method allows to completely compromise all the User Forests managed by the trust.