Active Directory (AD) remains a critical backbone of IT infrastructure, streamlining identity management, authentication, and authorization across enterprises. Yet, due to its inherently interconnected nature, a compromise in one domain—no matter how small—can quickly spiral into a complete takeover of the entire forest.
When one child domain in a larger AD forest is compromised, cyber attackers can leverage inherent trust relationships to escalate privileges and subsequently gain full control of the entire Active Directory forest. This underscores the importance of rapid threat detection and comprehensive monitoring systems that can quickly identify anomalies, such as unusual account SID modifications, or suspicious lateral movement patterns across domains.
How an Attacker Escalates from Domain to Forest Privilege
When an attacker successfully compromises a child domain within a larger forest, there are three primary escalation paths they leverage to gain full administrative control of the parent domain—and subsequently the entire forest:
1. Stealing Parent Domain Admin Credentials: It's quite common for a domain admin or enterprise admin from the parent domain (often the forest root domain) to log into servers or workstations within child domains for administrative tasks or troubleshooting. If the attacker already controls a compromised child domain, they can monitor and intercept these privileged sessions.
Using credential extraction tools such as Mimikatz attackers can easily capture credentials or authentication tokens left behind on impacted servers. Once they've obtained credentials of a parent domain administrator, attackers seamlessly elevate their access from the child domain level to the forest root domain, effectively gaining full administrative control.
2. The Dangerous SID-History Attack (The Most Common Escalation Path): One particularly potent and frequently exploited attack method is the manipulation of Active Directory's attribute known as SID-History. In practice, this attribute provides backward compatibility when migrating or merging user accounts across domains. Unfortunately, it also opens up the possibility for privilege escalation in compromised domains.Here's how attackers exploit this:
First, they compromise the child domain and establish administrative control.
Then, they create a new user account or modify an existing one in the compromised child domain.
Leveraging their administrative privileges, they populate this account's SID-History attribute with the SID (Security Identifier) of a privileged group from the parent domain—for example, the Enterprise Admins group of the forest root domain. This can be particularly trivial, because the SID for this group always follows the format of S-1-5-21-<root-domain>-519, where <root-domain> is the forest root domain identifier.
Due to existing implicit trust relationships between parent and child domains within the same forest, the parent domain will inherently honor the injected SID. From there, the attacker gets immediate, fully privileged access across the entire forest. Because the SID-History attribute’s legitimacy is seldom closely scrutinized by default monitoring tools and processes, attackers commonly turn to this technique for rapid escalation.
3. Exploiting Kerberos Delegation Misconfigurations: Another important escalation vector space involves misconfigured Kerberos delegation settings within the child domain. Kerberos delegation allows certain service accounts or servers to impersonate users, facilitating seamless authentication workflows. However, when delegation settings are overly permissive or improperly secured, attackers can abuse these trusted mechanisms to impersonate privileged user accounts or services, moving laterally and from the compromised child domain into the heart of the parent domain.
Misconfigured delegation settings provide attackers a subtle, yet powerful avenue to quietly escalate privileges.
Why Every Domain Must Be Treated as Critical Infrastructure
The scenarios above illustrate clearly why a compromise of any single domain within a forest quickly poses an existential threat to every domain and resource within it. Attackers thoroughly understand these relationships and regularly leverage these escalation paths, often staying undetected for extended periods. Detection can be difficult because, unlike with malware, a compromised identity looks very similar to a regular identity until you start to notice irregular behaviours.
Learn more about how Rubrik Identity Recovery can help you recover when the worst happens.
1https://en.wikipedia.org/wiki/Mimikatz
2https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory