6. Enumerating Forest and Trust Relationships

Goal: Discover domain trusts, forest links, and cross-domain access paths to plan further movement or escalation.

Objectives

Mermaid Diagram

graph TD
    A[Domain Access Established] --> B[Query Trust Relationships]
    B --> C[Enumerate External Users and Groups]
    B --> D[Check SIDHistory and ExtraSIDs]
    C --> E[Map Cross-Domain Privileges]
    D --> E
    E --> F[Identify Lateral Movement or DA Paths in Other Domains]

Techniques and Tools

Task Tool/Command Notes
Enumerate Domain Trusts Get-DomainTrust, Get-ADTrust -Filter * Lists all domain-to-domain trusts
Enumerate Forest Trusts Get-ForestTrust, nltest /domain_trusts View trans-forest trust relationships
Trust Mapping Get-DomainTrustMapping (PowerView) Resolve all visible trusts and how they connect
External Group Membership Get-DomainForeignGroupMember, Get-DomainForeignUser Show users/groups that belong to external domains
SIDHistory Checks Get-DomainUser -Properties SIDHistory Look for accounts with old or injected SIDs
BloodHound Forest View bloodhound-python -c trusts, GUI Analysis Visualize forest/domain links and user paths
Check Trust ACL Abuse Get-DomainObjectACL, Find-InterestingDomainAcl Find misconfigs in trust ACLs
Kerberos ExtraSID Attack Detection Ticket decoding via Rubeus, mimikatz, BloodHound Look for extra SIDs granting elevated access

Example: PowerView Trust Enumeration

Import-Module .\PowerView.ps1
Get-DomainTrust
Get-DomainForeignGroupMember

Example: BloodHound Trust Collection

bloodhound-python -u user -p pass -ns 172.16.6.3 -d inlanefreight.local -c trusts

Example: Check for SIDHistory Abuse

Get-DomainUser -Properties SIDHistory | Where-Object { $_.SIDHistory -ne $null }

Pro Tips