Enumerate Forest Trusts
Cross-Forest Enumeration
Users in Foreign Domain
Foreign Group Membership
BloodHound
Collect data from both forests. Analyze cross-forest edges.SID Filtering Bypass (Limited)
Across a forest trust, SID filtering strips every SID with a RID below 1000 (500, 512, 513, 518, 519, 520, …), regardless of SID history.What Still Works
SIDs not filtered across forests:- Custom group/user SIDs with RID ≥ 1000 from the trusted forest
- Note: Domain Users (RID 513) is below 1000 and is filtered, despite being a default group
Check Filtering Status
Trust Account Attack
Get Foreign Trust Account
Forge Trust Ticket
Shared Resources Abuse
If foreign forest resources are accessible:ADCS Cross-Forest
If ADCS in target forest trusts your domain:PAM Trust (Bastion Forest)
Privileged Access Management trust allows shadow principals in bastion forest to map to principals in production forest.Quick Reference
| Task | Command |
|---|---|
| Enum trusts | Get-ADTrust -Filter * |
| Foreign members | Get-DomainForeignGroupMember |
| Trust account | secretsdump -just-dc-user 'FOREST$' |
| SID filtering | Blocks privileged SIDs across forests |
| Shared resources | crackmapexec smb HOSTS -u user -p pass --shares |