Intra-Forest Attacks
Foreign Group Membership and ACL Principals
Through Foreign Group Membership and Foreign ACL Principals it's possible get a direct foothold into another domain without having to exploit any misconfiguration or perform any attack.
Unconstrained Delegation
Unconstrained Delegation can allow to move from a child domain to the parent one by abusing the Printer Bug Method; let's imagine the following scenario: DC02 serves as the Child Domain Controller within the domain dev.domain.com, while DC01 operates as the Parent Domain Controller within the domain domain.com.
First we can start the monitor command in Rubeus and then we can execute SpoolSample to exploit the printer bug, forcing DC01 (the Parent DC) to authenticate to a host under our control, which in this case is DC02 (the Child DC). By leveraging this exploit, we can trigger an authentication attempt from the Parent DC to the Child DC, thereby facilitating the interception of DC01's Ticket Granting Ticket (TGT).
If the attack worked a new TGT for DC01$ should get detected by Rubeus and we're now able to renew it and use it to access a host in the other domain.
Configuration Naming Context Replication
Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the replication mechanism of the Configuration Naming Context in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.
ADCS NC Replication Attack
The attack consists in abusing permissions over the Configuration Naming Context so that we can add a new vulnerable certificate template to the Certificate Templates container, then we give the Domain Administrator user of the child domain Full Control over said certificate, publish it and wait for the changes to propagate.
After the NC is replicated back to the parent domain we can request the certificate for root\Administrator for the child domain.
The easiest vulnerable template to set up is [[01 - ESC1 | ESC1]].
After the template is published we can request it and abuse ESC1 as we normally would.
GPO On-Site Attack
This technique can be used to move from the child domain to the parent one by creating a malicious GPO on the Child DC and linking it to the Default Replication site of the parent DC.
This allows to set a backdoor (a backdoored user) on the parent DC that we can request a TGT for.
GoldenGMSA Attack
A GoldenGMSA Attack can be used if we discover a gMSA account in a parent domain we can compromise it from the child domain with the GoldenGMSA tool and obtain its password.
It will allow to get a NTLM hash of the account's password to request a TGT into the other domain.
DNS Trust Attack
This attack abuses the unauthorized modification of DNS records within of the database locations of a parent domain from within a child domain; redirection of traffic can allow for MITM attacks.
Last updated