WINDOWS TRUSTS

PRIMARY CATEGORY → WINDOWS MOVEMENT

Theory

Trust Types

Transitivity

SID Filtering

SID History

This AD attribute comes into play when a domain user account or group is migrated to one domain or forest to another. Therefore, it supports both migration scenarios and allows such domain objects to retain access to certain resources after being moved by mapping their old Security Identifier (SID) to the SIDHistory attribute of the given object in the new domain or forest

That is, if a user is migrated to another domain, a new account is created on it. Then, the original user’s SID will be added to the SIDHistory attribute of the new account, ensuring that this account can still access resources in the original domain

This attribute is intended to work across domains but can work within the same domain

Components ⟡

Trust Flavor

Components ⟡

Trust Attack

- EXTRASIDS

Enumeration - UNIX-like

LDAPSearch

LDAPSearch

ldapsearch -LLL -x -H 'ldap://<DC>' -D '<USER>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(objectClass=trustedDomain)'

LDAPDomaindump

LDAPDomaindump

Setup

git clone "https://github.com/dirkjanm/ldapdomaindump" ldapdomaindump
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 ldapdomaindump.py --user '<DOMAIN>\<USER>' --password '<PASSWD>' --no-json --no-grep '<DC>'

BloodHound.py

BloodHound.py

Setup

git clone "https://github.com/dirkjanm/BloodHound.py" BH.py
cd !$ && git checkout bloodhound-ce
python3 -m venv .venv
. !$/bin/activate && pip3 install .

Usage

python3 bloodhound.py --collectionmethod All --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --zip --nameserver '<DC>' --domain-controller '<DC_FQDN>'

Domain | Forest Trusts Edges on BloodHound-CE

Zoom in

Enumeration - Windows

Powershell AD Module

Powershell AD Module

Get-ADTrust

Get-ADTrust -Filter *

Powerview

Powerview.ps1

Getting all Trusts for the current Domain

Get-DomainTrust

Get-DomainTrust

Getting all Trusts for the current Forest

Get-ForestTrust

Get-ForestTrust

Enumerating Users who are in Groups outside of their Principal Domain

Get-DomainForeignUser

Get-DomainForeignUser

Building a relational mapping of all domain trusts

Get-DomainTrustMapping

Get-DomainTrustMapping

Netdom

Netdom

Querying Domain | Forest Trusts

netdom query /domain:'<DOMAIN>' trust

References

A Guide to Attacking Domain Trusts

💥Cyb3rBook

Explorer

WINDOWS TRUSTS

PRIMARY CATEGORY → WINDOWS MOVEMENT

Theory

Trust Types

Transitivity

SID Filtering

SID History

Components ⟡

Components ⟡

Enumeration - UNIX-like

LDAPSearch

LDAPDomaindump

Setup

Usage

BloodHound.py

Setup

Usage

Domain | Forest Trusts Edges on BloodHound-CE

Enumeration - Windows

Powershell AD Module

Powerview

Getting all Trusts for the current Domain

Getting all Trusts for the current Forest

Enumerating Users who are in Groups outside of their Principal Domain

Building a relational mapping of all domain trusts

Netdom

Querying Domain | Forest Trusts

References

Graph View

Table of Contents

Backlinks