LinkedInGitHub

Trusts

Trust is a relationship between two domains or forests which allows users of one domain or forest to access resources in the other domain or forest

  • Automatic - Same forest - Parent -> Child

  • Established - External - Forest

Trusted Domain Objects (TDOs) represent the trust relationships in a domain

Trust Directions

  • One-way (Unidirectional)

    • Users in the trusted domain can access resources in the trusting domain but not vice versa

  • Two-way (Bidirectional)

    • Users of both domains can access resources in the other domain

  • Transitive

    • Can be extended to establish trust relationships with other domains

    • If Domain A is compromised, you can jump to Domain B AND Domain C

  • Non-transitive

    • Cannot be extended to other domains in the forest. Can be two-way or one-way.

Types of Trusts

  • Default/Automatic Trusts

    • Parent -> Child Trusts

      • adot8.com can access resources from pwned.adot8.com

  • Tree-root trust (Tree -> Tree)

    • It is created automatically whenever a new domain tree is added to a forest root.

    • ALWAYS two way transitive

    • Compromise Z, you can hop to Y then A then B and C

YOU ONLY NEED ONE DOMAIN ADMIN TO COMPROMISE THE WHOLE FOREST

IF THE ENTERPRISES FOREST IS HUGE, SPLIT IT INTO MULTIPLE FORESTS

  • External Trusts (Forest root -> External Child)

    • Between two domains in different forests when forests do not have a trust relationship

    • Can be one-way or two-way and is non-transitive

Non transitive makes it so if you compromise Z you can compromise Y BUT you can only access EXPLICITLY allowed resources in B and C

  • Forest Trusts

    • Between forest root domains

    • Cannot be extended to a third forest (no implicit trust)

    • One-way or two-way transitive... Need explicit permission for resources

PreviousPowerViewNextPowerView

Last updated