Extra-SID Attack via the Inter-Realm Trust Key: Skipping the Golden Ticket
The well-documented Extra-SID attack uses the child krbtgt hash and routes through the child KDC. There's a second path that bypasses the child KDC entirely, using the inter-realm trust account hash to forge the referral ticket directly.
active-directory kerberos red-team windows privilege-escalation
March 15, 2026