> For the complete documentation index, see [llms.txt](https://otter.gitbook.io/red-teaming/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks.md). # Intra-Forest Attacks #### Foreign Group Membership and ACL Principals Through [Foreign Group Membership](/red-teaming/notes/forest-trust-abuse/foreign-group-membership.md) and [Foreign ACL Principals](/red-teaming/notes/forest-trust-abuse/foreign-acl-principals.md) it's possible get a direct foothold into another domain without having to exploit any misconfiguration or perform any attack. #### Unconstrained Delegation [Unconstrained Delegation](/red-teaming/notes/kerberos/unconstrained-delegation.md) can allow to move from a child domain to the parent one by abusing the [Printer Bug Method](/red-teaming/notes/kerberos/unconstrained-delegation.md#printer-bug-method); let's imagine the following scenario: `DC02` serves as the Child Domain Controller within the domain `dev.domain.com`, while `DC01` operates as the Parent Domain Controller within the domain `domain.com`. First we can start the `monitor` command in Rubeus and then we can execute `SpoolSample` to exploit the `printer bug`, forcing DC01 (the Parent DC) to authenticate to a host under our control, which in this case is DC02 (the Child DC). By leveraging this exploit, we can trigger an authentication attempt from the Parent DC to the Child DC, thereby facilitating the interception of DC01's Ticket Granting Ticket (TGT). ``` .\Rubeus.exe monitor /interval:5 /nowrap ``` ``` .\SpoolSample.exe dc01.domain.com dc02.dev.domain.com ``` If the attack worked a new TGT for `DC01$` should get detected by Rubeus and we're now able to renew it and use it to access a host in the other domain. ``` .\Rubeus.exe renew /ticket: /ptt ``` #### Configuration Naming Context Replication [Configuration Naming Context (NC) replication abuse](#configuration-naming-context-replication) refers to a offensive tactic wherein attackers exploit the `replication` mechanism of the `Configuration Naming Context` in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure. #### ADCS NC Replication Attack The [attack](#adcs-nc-replication-attack) consists in abusing permissions over the Configuration Naming Context so that we can add a new vulnerable certificate template to the `Certificate Templates` container, then we give the Domain Administrator user of the child domain `Full Control` over said certificate, publish it and wait for the changes to propagate. After the NC is replicated back to the parent domain we can request the certificate for `root\Administrator` for the child domain. The easiest vulnerable template to set up is \[\[01 - ESC1 | ESC1]]. After the template is published we can request it and abuse ESC1 as we normally would. #### GPO On-Site Attack [This technique](#gpo-on-site-attack) can be used to move from the child domain to the parent one by creating a malicious GPO on the Child DC and linking it to the `Default Replication` site of the parent DC. This allows to set a backdoor (a backdoored user) on the parent DC that we can request a TGT for. #### GoldenGMSA Attack A [GoldenGMSA Attack](#goldengmsa-attack) can be used if we discover a gMSA account in a parent domain we can compromise it from the child domain with the [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) tool and obtain its password. It will allow to get a NTLM hash of the account's password to request a TGT into the other domain. #### DNS Trust Attack [This](/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/dns-trust-attack.md) attack abuses the unauthorized modification of DNS records within of the database locations of a parent domain from within a child domain; redirection of traffic can allow for MITM attacks. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.