Active Directory Forest Trusts: Cross-Forest Privilege Escalation Techniques
In enterprise environments, Active Directory (AD) Forest Trusts are used to enable seamless access between separate domains or forests. While they serve a critical role in business collaboration and scalability, they also introduce potential security vulnerabilities that can be exploited by attackers for cross-forest privilege escalation.
In this article, we dive deep into how adversaries abuse forest trust configurations, examine real-world techniques used in red teaming, and provide actionable mitigation strategies.
Understanding Active Directory Forest Trusts
Forest Trusts are a type of trust relationship that allows users in one forest to access resources in another, provided the necessary permissions are in place. These trusts can be:
- One-way or two-way
- Transitive or non-transitive
- External or forest-level
The critical component here is the trusting and trusted relationship. Any weakness in trust configuration can lead to unauthorized access or escalation of privileges across domains.
Attack Surface Introduced by Forest Trusts
When misconfigured, forest trusts can:
- Enable attackers with low privileges in one forest to enumerate other forests.
- Allow SID history abuse or ticket forging using tools like Rubeus or Impacket.
- Bypass security boundaries by abusing domain trust paths.
Common Techniques for Cross-Forest Privilege Escalation
1. SID History Injection
Attackers can forge Kerberos tickets with malicious SID history attributes pointing to privileged groups (like Enterprise Admins) in the trusted forest.
Tool Example: Rubeus can be used to craft golden tickets with custom SID history values.2. Kerberos TGT Manipulation Across Forests
By exploiting unconstrained delegation or weak service principal names (SPNs), attackers can request TGTs that work across forests, even escalating to domain or forest admin roles.
3. Trust Ticket Forging with Impacket
Using ticketer.py from Impacket, an attacker can generate TGTs or service tickets trusted by another forest if the trust keys are compromised or misconfigured.
4. Resource-Based Constrained Delegation (RBCD) Abuse
When RBCD is enabled across trusts without strict access control, attackers can set up malicious service accounts to impersonate users in the trusted forest and escalate privileges.
5. Transitive Trust Path Abuse
Complex AD environments may have multiple transitive trust relationships, creating indirect paths for attackers to traverse and escalate across forests, especially when Kerberos delegation is enabled.
Detection and Monitoring
Security teams should monitor for unusual cross-forest activity such as:
- Kerberos tickets with unfamiliar SIDs
- TGT requests across forests from non-admin users
- Modifications to trust settings in
AD Sites and Services - Use of hacking tools like Rubeus, Mimikatz, or Impacket modules
Integrating these detections with SIEM platforms like Wazuh, Splunk, or Microsoft Sentinel can greatly improve visibility.
Mitigation Strategies
To protect against cross-forest privilege escalation:
- Use selective authentication for forest trusts instead of implicit trust.
- Disable unnecessary forest trusts.
- Regularly audit SID filtering and ensure it's enforced.
- Monitor logs for cross-forest Kerberos requests.
- Harden service accounts and restrict delegation rights.
- Apply the principle of least privilege across domains and forests.
Further Reading and Related Topics
For more in-depth knowledge, we recommend checking out:
