Domain Trusts Primer
Trusts establish authentication links between domains or forests, allowing users to access resources outside their home domain. They are often set up during mergers and acquisitions for quick integration and frequently introduce unintended attack paths — especially when the security posture of an acquired company is unknown.
Trust Types
| Type | Description | Transitivity |
|---|---|---|
| Parent-child | Between domains in the same forest; two-way transitive by default | Transitive |
| Cross-link | Between child domains to speed up authentication | Transitive |
| Tree-root | Between forest root domain and a new tree root domain | Transitive |
| Forest | Between two forest root domains | Transitive |
| External | Between domains in separate forests not joined by a forest trust; uses SID filtering | Non-transitive |
| ESAE | Bastion forest for managing AD | Varies |
Transitive vs. Non-Transitive
- Transitive: Trust extends to objects the child domain trusts. If A trusts B and B transitively trusts C, then A trusts C. Forest, tree-root, parent-child, and cross-link trusts are transitive.
- Non-transitive: Only the directly trusted domain is trusted. Not extended to next-level child domains. Typical for external or custom trust setups.
Trust Direction
- One-way: Users in the trusted domain can access resources in the trusting domain, not vice-versa.
- Bidirectional (two-way): Users from both domains can access resources in the other domain.
Security Implications
- Trusts set up for ease of use are often not reviewed for security implications
- M&A bidirectional trusts can unknowingly introduce risk from the acquired company’s environment
- Attackers can target the weaker trusted domain as an indirect path into the principal domain
- Kerberoasting and other attacks can be performed across trusts to find accounts with administrative access in the target domain
- Larger organizations are frequently unaware that certain trust relationships exist
Enumerating Trust Relationships
Built-in AD Module
Import-Module activedirectory
Get-ADTrust -Filter *
Key properties to check:
Direction— Bidirectional or one-wayIntraForest— True means parent-child within the same forestForestTransitive— True means forest or external trustSIDFilteringQuarantined— Whether SID filtering is activeTGTDelegation— Whether TGT delegation is allowed across the trust
PowerView
# Enumerate trusts for the current domain
Get-DomainTrust
# Map all trusts across all reachable domains
Get-DomainTrustMapping
Provides trust type (WITHIN_FOREST, FOREST_TRANSITIVE), direction, and creation/modification dates.
Enumerate Users Across a Trust
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
netdom
# Query trusts
netdom query /domain:inlanefreight.local trust
# Query domain controllers
netdom query /domain:inlanefreight.local dc
# Query workstations and servers
netdom query /domain:inlanefreight.local workstation
BloodHound
Use the Map Domain Trusts pre-built query to visualize trust relationships and their directionality.
Enumeration Workflow
- Identify all trusts with
Get-ADTrustorGet-DomainTrust - Note direction (bidirectional = higher risk), transitivity, and whether SID filtering is active
- Map all trusts with
Get-DomainTrustMappingfor a complete picture - Enumerate users, groups, and SPNs across each trusted domain
- Perform cross-trust attacks (Kerberoasting, password spraying) against trusted domains
- Check if compromised accounts in trusted domains have admin access in the target domain
- Visualize with BloodHound’s “Map Domain Trusts” query
Key Takeaways
- Bidirectional trusts with acquired companies are a common source of unintended risk
- A foothold in a weaker trusted domain can lead to full compromise of the principal domain
- Always enumerate trusts early in an assessment — they expand the attack surface significantly
- If you cannot authenticate across a trust, you cannot enumerate or attack across it
- Document all discovered trust relationships for the final report, especially ones the client may be unaware of