Not A Security Boundary: Breaking Forest Trusts

For years, Microsoft has stated that the forest is the security boundary in Active Directory. Many organizations have built their Active Directory trust architectures with this in mind, trusting that the compromise of one forest can not be leveraged to compromise a foreign forest. However, we have discovered that this is not the case. The forest is no longer a security boundary.

By combining a legacy printer protocol “feature” with several architectural flaws in Active Directory, the compromise of one forest can be leveraged to compromise a foreign forest and all resources within it. We will deep dive into the architectural components that enable this trust violation, demonstrate a fully weaponized attack with available tools, and provide complete mitigation/detection guidance.

Who We Are (3 mins)

We’re both red teamers and offensive engineers at SpecterOps with years of offensive, security research, and tool engineering experience. We have spent the past several years assessing and researching Active Directory deployments.

Kerberos in 5 minutes (5 min)

A crash course in the Kerberos protocol, covering the basic knowledge needed to understand the weaponized components that follow. This will include an overview of unconstrained delegation, one of the ingredients for the forest trust boundary break.

Trusts (7 min)

A crash course in the Active Directory trusts, covering the variety of trust types and traditional offensive attack strategies against domain trusts. We will cover why the forest has been traditionally considered the trust boundary and include coverage of technologies such as SID filtering.

The “printer bug” (10 minutes)

Detailed coverage of the MS-RPRN legacy printer protocol’s “feature” of allowing domain users to force arbitrary domain machines to authenticate to attacker-selected targets. This is another ingredient for the forest trust boundary break.

*Breaking the Forest Trust Boundary (5 minutes)

We will cover how unconstrained delegation, the treatment of delegation TGTs across forest trusts, and the printer bug all combine to break the security boundary promise of Active Directory forests.

Demonstration (5 minutes)

A detailed walkthrough demonstration of combining the series of Active Directory flaws to break the forest trust boundary. The demo will used public toolsets to leverage the compromise of one forest to fully compromise a foreign forest.

Mitigations (5 minutes)

We will discuss selective authentication, the disabling of TGT delegation, selective authentication, and the disabling of the Spooler service.

Detections (5 minutes)

We will dive into event log artifacts and general detection strategies for this particular attack scenario.

Questions (5 minutes)

About the Speakers