2025-06-25 –, Track 2 (AD & Entra ID Sec)
Microsoft asserts that the Active Directory (AD) forest is a security boundary, implying that cross-forest trusts do not grant administrative control over another forest; however, misconfigurations and permission delegations can erode this boundary, exposing hidden attack paths. In this talk, we will uncover how to identify and abuse these attack paths across AD forests.
Microsoft designed AD cross-forest trusts (forest or external) to provide controlled access, but these trusts often introduce unintended security risks. This talk will dissect what access these trusts actually grant and how permission delegations can create abusable attack paths between forests.
We will explore publicly known cross-forest attack techniques, refine their prerequisites, and showcase reliable execution methods leveraging modern tools and research. Additionally, we will unveil a new attack technique—and a corresponding tool—that Microsoft has yet to determine whether to patch. This tool will be publicly released alongside the talk.
Additionally, we will explore how attack paths can emerge across forests even in the absence of AD trust relationships.
Finally, we’ll demonstrate how the latest features in BloodHound Community Edition empower security practitioners to audit and visualize cross-forest attack paths more effectively.
My name is Jonas, and I am working as a Product Architect at SpecterOps. I enjoy writing ugly code to solve real and imaginary technical problems in the offensive and defensive security space. In my daily tasks, I investigate attack vectors to determine how they can be implemented in BloodHound.
I have a background as a security consultant working with customers to harden their AD and Windows infrastructure, and I have practical experience fixing and breaking customer environments with security measures such as AD tiering, Protected Users, IPSec, and disabling NTLM.