Foreign Group Membership

In child/parent trust configurations it's possible to add users from the child domain to groups in the parent domain withing a specific scope:

  • Universal: Accounts from any domain in the same forest, Global groups from any domain in the same forest and other Universal groups from any domain in the same forest

  • Global: Accounts from the same domain and Other Global groups from the same domain

  • Domain Local: Accounts from any domain or any trusted domain, Global groups from any domain or any trusted domain, Universal groups from any domain in the same forest, Other Domain Local groups from the same domain. Accounts, Global groups, and Universal groups from other forests and from external domains

Groups with Global scope cannot contain users from the same domain so using the Universal and Domain Local scopes is mandatory when dealing with users part of a child domain.

To enumerate Foreign Group Membership we can use PowerView

Import-Module .\PowerView.ps1
Get-DomainForeignUser

Under the GroupName attribute we can see what group the user of the child domain is part of in the parent domain; from there, we can enumerate further to see what that group has access to and reveal attack vectors inside the parent domain. A way of doing this is using powershell

Get-DomainGroup -Identity 'SomeGroup' -domain domain.com

but BloodHound is a great alternative to get a more comprehensive view of the forest.

Last updated