# TRUSTED\_BY ## Summary | | | | -------------------------- | ----------- | | **FSProtect ACL Alias** | TRUSTED\_BY | | **Affected Object Types** | Domains | | **Exploitation Certainty** | Unlikely | ## Description The `TRUSTED_BY` permission in Active Directory establishes a trust relationship where an account or system is explicitly recognized as reliable by another domain (or security principal). This trust designation is crucial for inter-domain authentication, delegated access, and secure interactions between systems, ensuring seamless collaboration while maintaining security boundaries. Proper configuration of the `TRUSTED_BY` permission allows for controlled delegation of access rights, reducing redundant authentication prompts and streamlining cross-domain operations. However, if misconfigured, the `TRUSTED_BY` permission can introduce significant security vulnerabilities. An attacker who exploits this trust relationship could abuse the trust to impersonate trusted accounts, escalate privileges, or bypass access controls within the trusted environment. Such exploitation might enable unauthorized access to sensitive systems, facilitate credential theft, and lead to widespread compromise of interconnected domains. ## Identification ### PowerShell #### Active Directory Module Using the ActiveDirectory PowerShell module, you can enumerate `TRUSTED_BY` entries. **1.** Find-ADTrusts function **2.** Get all domain trusts ```powershell function Find-ADTrusts { [CmdletBinding()] param([string]$OutputPath = ".\ADTrusts.csv") try { $trusts = Get-ADTrust -Filter * -Properties Name,Direction,Source,TrustType} catch {Write-Error "Failed to enumerate trusts: $($_.Exception.Message)"; return} $rows = foreach ($t in $trusts) { [pscustomobject]@{ Source = $t.Source Name = $t.Name Direction = $t.Direction Type = $t.TrustType } } if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 ; $rows } else { Write-Host "No trust objects found." } } ``` #### .NET Directory Services By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate `TRUSTED_BY` entries without relying on any external modules or dependencies. **1.** Find-ADTrustSimple function ```powershell function Find-ADTrustSimple { [CmdletBinding()] param([string]$OutputPath = ".\ADTrusts.csv") try { $baseDN = ([ADSI]"LDAP://RootDSE").defaultNamingContext $searchRoot = [ADSI]("LDAP://CN=System,$baseDN") $ds = [System.DirectoryServices.DirectorySearcher]::new($searchRoot) $ds.Filter = "(objectClass=trustedDomain)"; $ds.PageSize = 1000 foreach ($p in "name","trustDirection","trustType") { [void]$ds.PropertiesToLoad.Add($p) } $src = if ($env:USERDNSDOMAIN) { $env:USERDNSDOMAIN } else { ($baseDN -replace 'DC=','' -replace ',','.') } $rows = foreach ($r in $ds.FindAll()) { $p = $r.Properties [pscustomobject]@{ Source = $src Name = $p["name"][0] Direction = if ($p["trustdirection"]) { @("Disabled","Inbound","Outbound","Bidirectional")[[int]$p["trustdirection"][0]] } else { "Unknown" } Type = if ($p["trusttype"]) { switch([int]$p["trusttype"][0]) { 1{"Downlevel"} 2{"Uplevel"} 3{"MIT"} 4{"DCE"} default{"Unknown"} } } else { "Unknown" } } } } catch { Write-Error "LDAP enumeration failed: $($_.Exception.Message)"; return } if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8; $rows } else { Write-Host "No trust objects found." }} ``` **2.** Get all domain trusts ```powershell Find-ADTrustSimple ``` ### Active Directory Domains and Trusts **1.** Open `Active Directory Domains and Trusts`. **2.** Click on your domain. **3.** You can see trusted domains in the list **4.** Click OK to close the dialogs. ![Active Directory Domains and Trusts](/files/AIDlodb9L5OotDVIYJu1) ## Exploitation The `TRUSTED_BY` relationship is a trust link between two domains. It does not directly grant privileges, but it enables accounts in one domain to be recognized and authenticated by another. ## References * [Trusts - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/trusts/) * [Forest trusts in Microsoft Entra Domain Services](https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/ad/trusted_by.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.