The types of attacks can happen:

• Across Domains - Implicit two-way trust relationship (child-parent).
• Across Forests - Trust relationship needs to be established.

Across Domains

Domain Admin → Enterprise Admin – Child to Parent with trust key

SIDHistory is a user attribute designed for scenarios where a user is moved from one domain to another. When a user's domain is changed, they get a new SID and the old SID is added to SIDHistory, so that the user can access resources from the old domain at any time.

The same mechanism is put in place for the group.

Example: User dzooland is moved from source domain to target domain, it is assigned a new SID inherent to the new domain, but its old SID is written in the attribute SIDHistory .

If the user needs to access resources in the old domain through the ACM he will use the SIDHistory:

Domains in same forest have an implicit two-way trust with other domains. There is a trust key between the parent and child domains.

There are two ways of escalating privileges between two domains of same forest:

• trust tickets (allows only creation of TGS for specific services in the parent domain)
• krbtgt hash/AES key of the child domain (allows DCSync → BECOME ENTERPRISE ADMIN IN THE PARENT DOMAIN) this is more powerful!

When the client requests the TGS from the Child Domain DC for the Application Server that is in the Parent Domain (step 3), the Child Domain DC will issue it a special Inter-Realm TGT (step 4) to present to the Parent Domain DC later on (step 5).