Domain Trust
General
Show Domain Trust (PowerView)
Sharphound across Forest (Covenant)
Kerberoast acress Forest (Covenant)
Domain Trust
Enumerate
Scenario: Domain Admin in one Domain with bidirectional trust to another target domain
When Trust is enabled, computer accounts domain1$ and domain2$ is created (trust account). Shared secret of both domains is these accounts password hashes. This can be dumped as DA in one domain (and can be used for the following steps instead of krbtgt if we can not get our hands on that one):
Gather both domains SIDs:
2. Craft golden ticket to grant Enterprise Privileges
Forest Trust
Across Forests, extra SIDs are filtered. This can however be disabled on the dc (the intend is to disable it on corporation mergers etc.):
Despite enabling this, we would still get access denied because SIDs < 1000 are always filtered. In addition members of Global Security Groups will also be filtered. So we need to find a SID > 1000 with privileges that help us, (if its a group it must also not be a member of Global Security Groups).
Last updated