The SameForestTrust edge represents a trust relationship between two domains within the same AD forest.
In this relationship, the source node domain has a same-forest (intraforest) trust to the destination node domain, allowing principals (users and computers) from the destination domain to access resources in the source domain.Because the domains are part of the same forest, they inherently trust each other, granting implicit control over resources across domains.
An attacker can spoof the SID history of a principal in the target domain, tricking the target domain into treating the attacker as a privileged user.See the SpoofSIDHistory edge for more information.This attack fails if SID filtering (quarantine) is enabled on the trust relationship in the opposite direction of the attack. The SID filtering blocks SIDs belonging to any other domain than the attacker-controlled domain. However, enabling this setting is rare and generally not recommended.
An attacker can coerce a privileged computer (e.g., a DC) in the target domain to authenticate to an attacker-controlled computer configured with unconstrained delegation. This provides the attacker with a Kerberos TGT for the coerced computer.See the CoerceToTGT edge for more information.The attack fails if SID filtering (quarantine) is enabled, as this prevents TGTs from being sent across the trust boundary. Again, this setting is rarely configured.
The Configuration Naming Context (NC) is a forest-wide partition writable by any DC within the forest. Most Active Directory Certificate Services (ADCS) configurations are stored in the Configuration NC. An attacker can abuse a DC to modify ADCS configurations to enable an ADCS domain escalation opportunity that compromises the entire forest.Attack Steps:
Obtain a SYSTEM session on a DC in the attacker-controlled domain
Create a certificate template allowing ESC1 abuse
Publish the certificate template to an enterprise CA
Enroll the certificate as a privileged user in the target domain
Authenticate as the privileged user in the target domain using the certificate
AD sites are stored in the forest-wide Configuration NC partition, writable by any DC within the forest. An attacker with SYSTEM access to a DC can link a malicious GPO to the site of any DC in the forest.Step 1: Obtain a SYSTEM session on a DC in the attacker-controlled domain
Use PsExec to start a PowerShell terminal as SYSTEM on the DC:
Copy
Ask AI
PsExec64.exe -s -i -accepteula powershell
Step 2: Create a GPO
Use the GroupPolicy module of RSAT to create the new GPO:
Copy
Ask AI
New-GPO -Name "MyGPO"
Step 3: Add the compromising setting to the GPO
Use SharpGPOAbuse to add a scheduled task:
Step 5: Set the GPO permissionsThis step is important to avoid applying the GPO to all computers connected to the site. Use the GroupPolicy module of RSAT to modify the permissions such that Authenticated Users can read the object but only the targeted computer applies the GPO settings:
Note that you must specify the server to be the DC where you are running the command, as the command defaults to execute the change on a root domain DC where the compromised DC does not have the permissions to link the GPO.Wait until replication has happened and the GPO has applied on the target DC, and log in with Administrators access on the compromised DC. Replication within the same site happens within 15 seconds but runs on 3 hour schedule by default across sites. GPOs are applied on a 90-120 min interval by default.