CG
SkillsPerforming Active Directory Forest Trust Attack
Start Free
Back to Skills Library
Red Team & Offensive Security🟡 Intermediate

Performing Active Directory Forest Trust Attack

Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment.

3 min read

Prerequisites

  • Python 3.9+ with `impacket`, `ldap3`
  • Domain credentials with read access to AD trust objects
  • Network access to Domain Controllers (ports 389, 445, 88)
  • Authorized penetration testing engagement or lab environment

Performing Active Directory Forest Trust Attack

Overview

Active Directory forest trusts enable authentication across organizational boundaries but introduce attack surface if misconfigured. This skill uses impacket to enumerate trust relationships, analyze SID filtering configuration, detect SID history abuse vectors, perform cross-forest SID lookups via LSA/LSAT RPC calls, and assess inter-realm Kerberos ticket configurations for trust ticket forgery risks.

Prerequisites

  • Python 3.9+ with impacket, ldap3
  • Domain credentials with read access to AD trust objects
  • Network access to Domain Controllers (ports 389, 445, 88)
  • Authorized penetration testing engagement or lab environment

Steps

  1. Enumerate forest trust relationships via LDAP trusted domain objects
  2. Query trust attributes and SID filtering status for each trust
  3. Perform SID lookups across trust boundaries using LsarLookupNames3
  4. Enumerate foreign security principals in trusted domains
  5. Check for SID history on cross-forest accounts
  6. Assess trust direction and transitivity for lateral movement paths
  7. Generate trust security audit report with risk findings

Expected Output

  • JSON report listing all trust relationships, SID filtering status, foreign principals, trust direction/transitivity, and risk assessment
  • Cross-forest attack path analysis with remediation recommendations

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
  • ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
  • NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add performing-active-directory-forest-trust-attack

# Or load dynamically via MCP
grc.load_skill("performing-active-directory-forest-trust-attack")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add performing-active-directory-forest-trust-attack
// Or via MCP
grc.load_skill("performing-active-directory-forest-trust-attack")

Tags

active-directoryforest-trustimpacketSID-filteringkerberosred-teamtrust-enumeration

Related Skills

Red Team & Offensive Security

Exploiting Constrained Delegation Abuse

4m·advanced
Red Team & Offensive Security

Exploiting Kerberoasting with Impacket

3m·advanced
Red Team & Offensive Security

Conducting Domain Persistence with Dcsync

4m·intermediate
Red Team & Offensive Security

Conducting Internal Reconnaissance with BloodHound Ce

4m·intermediate
Red Team & Offensive Security

Conducting Pass the Ticket Attack

3m·intermediate
Red Team & Offensive Security

Exploiting Active Directory Certificate Services Esc1

4m·advanced

Skill Details

Domain
Red Team & Offensive Security
Difficulty
intermediate
Read Time
3 min
Code Examples
0

On This Page

OverviewPrerequisitesStepsExpected OutputVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →