Forest Trust Abuse

In-depth notes regarding different forest trust configurations and abuse techniques.

A trust is a kind of relationship established between two or more Active Directory domains to facilitate resource management and authentication.

The following are the possible types of trust configurations:

• Parent-child: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain child.domain.com could authenticate into the parent domain domain.com, and vice-versa.

• Cross-link: A trust between child domains to speed up authentication.

• External: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID Filtering or filters out authentication requests (by SID) not from the trusted domain.

• Tree-root: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.

• Forest: A transitive trust between two forest root domains.

• ESAE or PAM Trust: A bastion forest used to manage Active Directory.

Trust can either be transitive or non-transitive: in a transitive trust, the relationship is extended to the child domain trusts, in a non-transitive trust the child domain itself is the only one trusted.

Trusts can be set up in two directions:

• One-way: a user in the trusted domain can access resources in a trusting domain

• Bi-directional: users from both the trusting and trusted domain can access resources from the other domain.

Remember that the direction of access is always opposite to the direction of the trust.