Breaking Boundaries: Unraveling AD Cross-Forest Attack Paths

Microsoft asserts that the Active Directory (AD) forest is a security boundary, implying that cross-forest trusts do not grant administrative control over another forest; however, misconfigurations and permission delegations can erode this boundary, exposing hidden attack paths. In this talk, we will uncover how to identify and abuse these attack paths across AD forests.

Microsoft designed AD cross-forest trusts (forest or external) to provide controlled access, but these trusts often introduce unintended security risks. This talk will dissect what access these trusts actually grant and how permission delegations can create abusable attack paths between forests.

We will explore publicly known cross-forest attack techniques, refine their prerequisites, and showcase reliable execution methods leveraging modern tools and research. Additionally, we will unveil a new attack technique—and a corresponding tool—that Microsoft has yet to determine whether to patch. This tool will be publicly released alongside the talk.

Additionally, we will explore how attack paths can emerge across forests even in the absence of AD trust relationships.

Finally, we’ll demonstrate how the latest features in BloodHound Community Edition empower security practitioners to audit and visualize cross-forest attack paths more effectively.