Kerberoasting and ASREPRoasting can be performed across trusts based on the trust directions.
when you cannot escalate privileges in the current domain, but can obtain a KRB ticket and crack a hash for an admin user in another domain that has Domain/Enterprise Admin privs in both domains.
we'll run into a situation where there is a bidirectional forest trust managed by admins from the same company
If we can take over Domain A and obtain password or NT hash for the built-in admin or enterprise/domain admin in Domain A; and Domain B has a high priv account with the same name, then we can check for password reuse.
EG: Domain A would have a user named adm_bob.smith in the Domain Admins group, and Domain B had a user named bsmith_admin.
we own Domain A and if same password is used, we can get full admin rights to Domain B
we may see users/admins from Domain A as members of groups in Domain B
Domain Local Group allow security principals from outside its forest
We may see a Domain Admin or Enterprise Admin from Domain A as a member of the built-in Administrators group in Domain B in a bidirectional forest trust relationship
we successfully authenticated to the Domain Controller in the FREIGHTLOGISTICS.LOCAL domain using the Administrator account from the INLANEFREIGHT.LOCAL domain across the bidirectional forest trust
SID History Abuse - Cross Forest
sid history can also be abused in a forest trust
If a user is migrated from one forest to another and SID Filtering is not enabled, we can add a SID from the other forest, and this SID will be added to the user's token when authenticating across the trust
