Pentest Copilot Breaches Forest Boundaries by Abusing Trust and Group Privileges

Introduction

Cross-forest trust relationships often exist in large AD environments — especially when acquisitions, subsidiaries, or test environments are involved. But if group privileges are misconfigured or SID filtering is disabled, attackers can hop forests with ease. This blog explores how Pentest Copilot identifies and exploits these trust paths using nested group privilege chains and password reset attacks.

Understanding Domain Trust Architecture in Active Directory

Trust Relationship Fundamentals

Active Directory trust relationships establish authentication pathways between domains and forests, enabling users in one domain to access resources in another. These relationships are built upon Kerberos authentication protocols and create complex security boundaries that require careful configuration and monitoring.

Trust Types and Security Implications:

Parent-Child Domain Trusts: Automatically created bidirectional transitive trusts between parent and child domains within the same forest. These trusts enable authentication flow and resource access across domain boundaries while maintaining unified forest-wide administration.

Forest Trusts: Bidirectional trusts established between separate Active Directory forests, enabling cross-forest authentication and resource access. These trusts can be configured with selective authentication to limit cross-forest access scope.

External Trusts: Non-transitive trusts between domains in different forests, providing limited cross-domain authentication capabilities without full forest trust establishment.

GOAD Trust Architecture

The GOAD laboratory environment implements a comprehensive trust architecture designed to simulate realistic enterprise scenarios:

Domain Structure:

• sevenkingdoms.local: Root forest domain containing primary infrastructure
• north.sevenkingdoms.local: Child domain with parent-child trust to sevenkingdoms.local
• essos.local: External forest with bidirectional forest trust to sevenkingdoms.local

Trust Relationships:

• Child/Parent Trust: north.sevenkingdoms.local ↔ sevenkingdoms.local (Bidirectional, Transitive)
• Forest Trust: sevenkingdoms.local ↔ essos.local (Bidirectional, with SID History enabled)

Cross-Domain Security Groups: The laboratory incorporates strategic cross-domain group memberships that enable privilege escalation across trust boundaries:

• Spys Group: Enables sevenkingdoms.local users to access essos.local resources
• AcrossTheNarrowSea Group: Provides essos.local users with sevenkingdoms.local access
• Small Council: Nested group membership enabling transitive cross-forest access

Trust Chain Mapping

In our demo, two forests are involved:

• sevenkingdoms.local

• essos.local

A group called Spys in essos.local has GenericAll permissions on the user jorah.mormont. Pentest Copilot discovers that tyron.lannister from sevenkingdoms.local is a transitive member of this group via the Small Council group.

The agent maps this path via graph analysis and creates a vulnerability entity for cross-forest privilege escalation.

The Exploitation Path

Once the group chain and target are confirmed, the agent proceeds:

1. Extracts the secret of tyron.lannister (credentials or token).

2. Uses those credentials to authenticate into essos.local.

3. Resets the password of jorah.mormont using GenericAll privileges.

4. Creates a new Secret entity for jorah.mormont, marking the new credentials.

Throughout the process, every action is logged and linked to the exploit chain in the graph.

Validation & Impact

Post-exploitation, the vulnerability is marked verified, and the new password is stored as a Secret with indicators like username, domain, and password. This confirms successful control over a foreign forest account — opening the door to deeper lateral movement.