Not A Security Boundary: Breaking Forest Trusts

For years, Microsoft has stated that the forest is the security boundary in Active Directory. Many organizations have built their Active Directory trust architectures with this in mind, trusting that the compromise of one forest can not be leveraged to compromise a foreign forest. However, we have discovered that this is not the case. The forest is no longer a security boundary.

By combining a legacy printer protocol “feature” with several architectural flaws in Active Directory, the compromise of one forest can be leveraged to compromise a foreign forest and all resources within it. We will deep dive into the architectural components that enable this trust violation, demonstrate a fully weaponized attack with available tools, and provide complete mitigation/detection guidance.