7.6 - Accross Trusts
Privilege Escalation Across Trusts
Trusts Between Domains and Forests
In Active Directory environments, trust relationships determine how authentication requests are handled across domain or forest boundaries.
Inter-Domain Trusts (Same Forest): By default, domains within the same forest have an implicit, bidirectional trust. This allows users in one domain to access resources in another, subject to appropriate permissions.
Inter-Forest Trusts: Trust relationships between separate forests must be explicitly created. These trusts can be one-way or two-way and are necessary for cross-forest authentication and resource access.
Escalating Privileges to Enterprise Admins
Using sIDHistory
for Privilege Escalation
sIDHistory
for Privilege EscalationThe sIDHistory
attribute stores previous SIDs for a user account, typically used during domain migrations to preserve access rights. This mechanism can be abused to escalate privileges across domains or forests by injecting the SID of a high-privilege group (e.g., Enterprise Admins).
There are two main methods for exploiting this:
Using the
krbtgt
Hash from the Child DomainForging Trust Tickets (Inter-Realm TGTs)
Method 1: Forging Trust Tickets
To forge inter-realm TGTs (trust tickets), the attacker needs access to the inter-domain trust key (the shared secret used between the child and parent domains).
Retrieving the Trust Key
The trust key can be obtained from the child domain controller using:
Alternatively, it can be retrieved using DCSync or LSA secrets:
Forging the Ticket with Rubeus
Then, use the forged TGT to request service tickets:
Rubeus Silver Ticket Options (Summary)
/rc4
: NTLM hash of the trust key/sid
: SID of the child domain/sids
: SID of the Enterprise Admins group (from the parent domain)/user
: Username to impersonate/ldap
: Pull PAC data via LDAP/nowrap
: Output formatting option
Method 2: Forging Golden Tickets with krbtgt
Hash
krbtgt
HashThis method is simpler and does not require trust ticket generation. Instead, it uses the krbtgt
hash of the child domain to forge a normal Golden Ticket and adds the SID of the Enterprise Admins group from the parent domain to the sIDHistory
.
Example (using SafetyKatz)
This works because the parent domain trusts the child’s tickets due to the established trust relationship.
Bypassing Detection (MDI, Logging)
To evade suspicious logs and Microsoft Defender for Identity (MDI), impersonate a domain controller:
Use DCSync to extract the parent domain’s krbtgt hash:
Relevant SIDs:
S-1-5-21-...-516
: Domain Controllers groupS-1-5-9
: Enterprise Domain Controllers group
Using Rubeus for Golden Ticket Forgery
Using Rubeus Diamond Ticket to Bypass MDI
Diamond tickets are specially crafted Golden Tickets designed to evade detection mechanisms.
Use DCSync to extract the parent krbtgt hash if not already done:
Last updated