Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts

Response

Trust response starts by proving which trust exists, who can cross it, which foreign SIDs are authorized, and whether trust secrets or krbtgt secrets were touched. Treat unexpected trust activity as an identity boundary incident.

Inventory trusts

Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,Target
Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' -Properties name,trustPartner,trustDirection,trustType,trustAttributes,flatName,securityIdentifier,objectGUID

Inventory foreign security principals

Get-ADObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties cn,memberOf,distinguishedName

Inventory SIDHistory

Get-ADObject -LDAPFilter '(sIDHistory=*)' -Properties sAMAccountName,sIDHistory,distinguishedName

Check privileged foreign membership

Get-ADGroupMember "Administrators" -Recursive

Get-ADGroupMember "Domain Admins" -Recursive

Get-ADGroupMember "Enterprise Admins" -Recursive

Useful Windows event IDs

4716  Trusted domain information modified
4768  Kerberos authentication ticket requested
4769  Kerberos service ticket requested
4765  SIDHistory added to an account
4766  SIDHistory add attempt failed
4624  Logon event, especially foreign domain network logons
4662  Directory object operation, useful for DCSync and sensitive object access

Hunt for DCSync against trust or krbtgt objects

DS-Replication-Get-Changes
DS-Replication-Get-Changes-All
DS-Replication-Get-Changes-In-Filtered-Set

Reset a trust secret

netdom trust trusting.local /domain:trusted.local /reset

Enable selective authentication

netdom trust trusting.local /domain:trusted.local /SelectiveAUTH:Yes

Enable SID filtering on external trusts

netdom trust trusting.local /domain:trusted.local /quarantine:Yes

Disable TGT delegation across a trust

netdom trust trusting.local /domain:trusted.local /EnableTGTDelegation:No

Validate after changes

Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,SelectiveAuthentication
nltest /domain_trusts

Remediation priorities

Remove stale trusts.
Prefer one-way trusts over bidirectional trusts where possible.
Use selective authentication for external and forest trusts.
Keep SID filtering enabled wherever operationally possible.
Remove unnecessary foreign principals from privileged groups.
Rotate trust secrets after suspected trust-key exposure.
Rotate child-domain krbtgt twice after parent-child ticket forgery.
Monitor 4769 events for unusual cross-realm service ticket requests.