Domain trusts define which identities can request access across domain or forest boundaries. A trust does not automatically mean full compromise, but it changes where Kerberos referrals, group membership, SID filtering, and resource authorization have to be evaluated.
We treat trusts as attack paths. First we identify the direction and type of trust. Then we decide whether we are with the direction of access, against it, or inside a parent-child relationship where SIDHistory can become the escalation primitive.
The key objects are trusted domain objects, trust accounts, foreign security principals, and tickets that contain extra SIDs. The key secrets are the krbtgt key for parent-child escalation and the inter-realm trust key for one-way trust abuse.
Tools used in this section include PowerView, Impacket, Rubeus, Mimikatz, NetExec, BloodHound, and bloodyAD.
Lab defaults
Primary domain: ootw.local
Primary DC: 10.10.10.200
Kali: 10.10.10.100
Student user: student
Student password: student
Common variables
export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'
Trust direction values
1 Inbound from the perspective of the queried domain
2 Outbound from the perspective of the queried domain
3 Bidirectional
Trust type values
1 Downlevel trust
2 Active Directory trust
3 MIT Kerberos realm trust
4 DCE trust
Common trust attributes
0x00000004 QUARANTINED_DOMAIN
0x00000008 FOREST_TRANSITIVE
0x00000010 CROSS_ORGANIZATION
0x00000020 WITHIN_FOREST
0x00000040 TREAT_AS_EXTERNAL
0x00000080 USES_RC4_ENCRYPTION
0x00000200 CROSS_ORGANIZATION_NO_TGT_DELEGATION
0x00000800 PIM_TRUST