Active Directory Trusts
Status: Scaffold — content in progress
AD trusts define authentication relationships between domains and forests. Trust paths are a common lateral movement route from child to parent domain.
Trust Types
| Type | Direction | Transitivity | Scope |
|---|---|---|---|
| Parent-child | Bidirectional | Transitive | Same tree |
| Tree-root | Bidirectional | Transitive | Same forest |
| External | Uni or Bi | Non-transitive | Cross-forest (specific domain) |
| Forest | Uni or Bi | Transitive (within scope) | Cross-forest |
| Shortcut | Bidirectional | Transitive | Speeds auth across tree |
| Realm | Uni or Bi | Can be either | Non-Windows Kerberos realm |
SID Filtering
SID filtering prevents cross-forest SID history attacks by stripping SIDs from the trusted domain's SID namespace from authentication tokens.
- Default behavior: SID filtering is enabled on forest trusts
- Disabled by:
netdom trust /EnableSIDHistory:yes— rarely needed, opens SID history abuse - Quarantine flag: Extra protection on external trusts
Attack Paths via Trusts
| Attack | Requirement | Impact |
|---|---|---|
| SID history injection | Domain Admin in child domain | Forge SID history to include Enterprise Admin SID — escalate to forest root |
| Cross-domain Golden Ticket | krbtgt hash of child domain | Create inter-realm TGT with forged SID history |
| Trust account NTLM relay | Trust account hashes | Lateral movement into trusted domain |
Key Principle
Compromising a child domain = compromising the parent via SID history if SID filtering is not properly enforced.
Telemetry
| Event ID | Description |
|---|---|
| 4769 | Service ticket request (cross-domain ticket will show referring domain) |
| 4768 | TGT request with referral |
Cross-Links
| Topic | Link |
|---|---|
| SID History Abuse | sid-history-abuse |
| Golden Ticket | golden-ticket |