| Parent-child escalation | Domain admin in a child domain inside the same forest | Child domain krbtgt key, child domain SID, parent or root privileged group SID | Forge a child-domain TGT with parent/root privileged SID in SIDHistory | secretsdump.py for child krbtgt, then ticketer.py -extra-sid <ROOT_SID>-519 | Rubeus.exe golden /sids:<ROOT_SID>-519 /ptt or mimikatz kerberos::golden | Forest-level access if SID filtering does not block the extra SID inside the forest path |
| Inbound trust abuse | We control an account in the trusted domain and the target domain trusts that identity source | Credential material for an eligible foreign principal or trust key | Use legitimate cross-domain access or forge an inter-realm referral ticket | Query foreign security principals, resolve SIDs, request cross-realm tickets | Rubeus.exe asktgt, asktgs, or silver /service:krbtgt/<target> | Access resources in the trusting domain where the foreign identity is authorized |
| Outbound trust enumeration | We are on the trusting side, against the access direction | Trust account key from the TDO or credentials from the trusted domain | Use the inter-realm key as the trust account to obtain a TGT in the trusted domain | getTGT.py <trusted>/<TRUSTING$> -hashes :<TRUST_RC4> | DCSync TDO by GUID, then Rubeus.exe asktgt /user:<TRUSTING$> | Enumerate the trusted domain as the trust account, usually equivalent to basic Domain Users visibility |
| Bidirectional trust hunting | We have any foothold in one trusted domain | Valid credentials and network path to both domains | Enumerate both sides for groups, ACLs, sessions, shares, ADCS, delegation, and roastable users | LDAP, NetExec, BloodHound collectors | PowerView, AD module, BloodHound collectors | Find the real cross-domain privilege edge |
| Foreign security principal abuse | A foreign SID is a member of a group in the target domain | Control of the matching source-domain principal | Resolve the SID back to its source-domain user or group and impersonate it | LDAP query FSPs, resolve objectSid in source domain | PowerView Get-DomainForeignGroupMember | Access target-domain resources through legitimate group membership |
| SIDHistory abuse | Account has privileged or useful SIDs in sIDHistory | Control of that account or ability to add SIDHistory | Kerberos PAC includes historical SIDs during authorization | LDAP search for sIDHistory=*, then validate access | Get-ADObject -LDAPFilter '(sIDHistory=*)' | Access follows the historical SID unless filtered |