Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)

This report documents AORTA, an Active Directory privilege-escalation technique where users with Create-Inbound-Forest-Trust rights (Incoming Forest Trust Builders), combined with DNS control (DnsAdmins), can create inbound forest trusts with TGT delegation enabled; by coercing a DC to authenticate to an attacker-controlled host with unconstrained delegation, the attacker captures the DC's TGT and performs DCSync to extract domain credentials. The author details discovery, RPC-level implementation, a PowerShell POC and a robust tool (Trustify), demonstrates the full attack chain in lab, provides detection (Event ID 4706 bitmask) and mitigation recommendations (treat groups as Tier Zero, mark DCs NOT_DELEGATED or use Protected Users), and summarizes Microsoft’s response (documentation update only).