Cross-trust attack: child → parent forest via SID History

§ Context

Assumed environment: attacker is Domain Admin in a child domain. Parent trust is intra-forest (transitive) and SID filtering is not enforced (typical for parent-child in the same forest).

§ Steps

1. 01
   Child Domain AdminInitial Access

   T1078— Valid Accounts
2. 02
   Request TGS in parentCredential Access

   T1558— Steal or Forge Kerberos Tickets

   Asktgs against parent KDC using the forged inter-realm ticket.

3. 03
   Recover Enterprise Admins SIDDiscovery

   T1482— Domain Trust Discovery

   S-1-5-21-<root>-519

4. 04
   Forge inter-realm TGT with SID HistoryCredential Access

   T1558.001— Golden Ticket

   mimikatz kerberos::golden /sids:S-1-5-21-<root>-519 /service:krbtgt /target:<parent>

5. 05
   DCSync on parent DCCredential Access

   T1003.006— DCSync
6. 06
   DCSync child krbtgtCredential Access

   T1003.006— DCSync

§ References

• T1078Valid Accounts
• T1558Steal or Forge Kerberos Tickets
• T1482Domain Trust Discovery
• T1558.001Golden Ticket
• T1003.006DCSync

§ Frequently asked

What is the "Cross-trust attack: child → parent forest via SID History" attack path?

Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Child Domain Admin (T1078) — a initial access primitive. Assumed environment: attacker is Domain Admin in a child domain.

What is the final impact of this kill-chain?

The final step lands on DCSync child krbtgt (T1003.006), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  noPac / sAMAccountName spoofing → Domain Admin

  Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.

• Shared techniques2

  mitm6 IPv6 SLAAC → NTLM relay → DA

  Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.

• Shared techniques2

  ZeroLogon (CVE-2020-1472) → Domain takeover

  Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.

• Shared techniques2

  Unconstrained delegation → Capture DC TGT → DCSync

  Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.

• Shared techniques2

  ADCS ESC1 → Domain Admin

  A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.

• Shared techniques2

  GenericWrite on Domain Admins → AddMember → DA

  A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.