Trust response starts by proving which trust exists, who can cross it, which foreign SIDs are authorized, and whether trust secrets or krbtgt secrets were touched. Treat unexpected trust activity as an identity boundary incident.
Inventory trusts
Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,Target
Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' -Properties name,trustPartner,trustDirection,trustType,trustAttributes,flatName,securityIdentifier,objectGUID
Inventory foreign security principals
Get-ADObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties cn,memberOf,distinguishedName
Inventory SIDHistory
Get-ADObject -LDAPFilter '(sIDHistory=*)' -Properties sAMAccountName,sIDHistory,distinguishedName
Check privileged foreign membership
Get-ADGroupMember "Administrators" -Recursive
Get-ADGroupMember "Domain Admins" -Recursive
Get-ADGroupMember "Enterprise Admins" -Recursive
Useful Windows event IDs
4716 Trusted domain information modified
4768 Kerberos authentication ticket requested
4769 Kerberos service ticket requested
4765 SIDHistory added to an account
4766 SIDHistory add attempt failed
4624 Logon event, especially foreign domain network logons
4662 Directory object operation, useful for DCSync and sensitive object access
Hunt for DCSync against trust or krbtgt objects
DS-Replication-Get-Changes
DS-Replication-Get-Changes-All
DS-Replication-Get-Changes-In-Filtered-Set
Reset a trust secret
netdom trust trusting.local /domain:trusted.local /reset
Enable selective authentication
netdom trust trusting.local /domain:trusted.local /SelectiveAUTH:Yes
Enable SID filtering on external trusts
netdom trust trusting.local /domain:trusted.local /quarantine:Yes
Disable TGT delegation across a trust
netdom trust trusting.local /domain:trusted.local /EnableTGTDelegation:No
Validate after changes
Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,SelectiveAuthentication
nltest /domain_trusts
Remediation priorities
Remove stale trusts.
Prefer one-way trusts over bidirectional trusts where possible.
Use selective authentication for external and forest trusts.
Keep SID filtering enabled wherever operationally possible.
Remove unnecessary foreign principals from privileged groups.
Rotate trust secrets after suspected trust-key exposure.
Rotate child-domain krbtgt twice after parent-child ticket forgery.
Monitor 4769 events for unusual cross-realm service ticket requests.