Forest Trust Abuse
In-depth notes regarding different forest trust configurations and abuse techniques.
Last updated
In-depth notes regarding different forest trust configurations and abuse techniques.
Last updated
A trust is a kind of relationship established between two or more Active Directory domains to facilitate resource management and authentication.
The following are the possible types of trust configurations:
Parent-child
: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain child.domain.com
could authenticate into the parent domain domain.com
, and vice-versa.
Cross-link
: A trust between child domains to speed up authentication.
External
: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes or filters out authentication requests (by SID) not from the trusted domain.
Tree-root
: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.
Forest
: A transitive trust between two forest root domains.
or : A bastion forest used to manage Active Directory.
Trust can either be transitive or non-transitive: in a transitive trust, the relationship is extended to the child domain trusts, in a non-transitive trust the child domain itself is the only one trusted.
Trusts can be set up in two directions:
One-way: a user in the trusted domain can access resources in a trusting domain
Bi-directional: users from both the trusting and trusted domain can access resources from the other domain.
Remember that the direction of access is always opposite to the direction of the trust.